A million WordPress sites vulnerable to a malicious plugin: OptinMonster exploits high-severity flaw allowing unauthorized API access and sensitive information disclosure

WordPress Websites OptinMonster Plugin Security Vulnerability
OptinMonster Security Vulnerability patch is available. Pic credit: Marjan Krebelj/Flickr

A simple, effective, and powerful plugin is also vulnerable to a severe exploit that allows malicious redirects and data extraction. About a million WordPress websites are at risk owing to the OptinMonster plugin.

All WordPress website administrators should immediately update the OptinMonster plugin to the latest version available. Until the update is installed, the plugin remains vulnerable to a high-severity flaw, tagged CVE-2021-39341. It allows unauthorized API access and sensitive information disclosure.

OptinMonster has severe security vulnerability putting a million WordPress sites at risk, but a patch is available:

OptinMonster is one of the popular WordPress plugins. Website developers often use the same to create appealing opt-in forms. The plugin essentially helps site owners convert visitors to subscribers/customers.

The creators of OptinMonster indicate the plugin is a reliable lead generator and monetization tool. The plugin reportedly has several features, but the focus is on ease of use. According to some estimates, close to a million WordPress sites regularly rely on the OptinMonster plugin.

As per the vulnerability disclosure report, OptinMonster’s power relies upon API endpoints that allow seamless integration and a streamlined design process.

The implementation of these endpoints, however, is open, unsecure, or vulnerable. The report cites ‘/wp-json/omapp/v1/support’ endpoint as an ideal example.

This particular endpoint can reportedly disclose data, including the WordPress site’s full path on the server, API keys it uses for requests on the site, and a lot more.

Severe vulnerability can put every visitor to a WordPress site using this plugin, at risk:

Concerningly, an attacker holding the API key could make arbitrary changes on the OptinMonster accounts. Additionally, attackers could also plant malicious JavaScript snippets. Needless to mention, this would mean any visitor to the website could be a potential victim.

The WordPress site would automatically execute the malicious code every time an unsuspecting visitor accessed the OptinMonster element. This execution would be silent and the admin would not become aware of the same.

Incidentally, the developers of the plugin acknowledged the entire API needed to be tweaked. Accordingly, the team has been developing multiple updates after they received the security vulnerability report.

It is not clear which updates address the security bug, but version 2.6.5 and above should have the necessary patches. As a precautionary measure, the team has invalidated all API keys which might have ended up in unauthorized hands. As a result, affected WordPress site owners would have had to generate new keys.

In light of the discovery, several security experts are warning site owners to conduct an audit about the plugins they use. As a safety precaution, always use the bare minimum plugins, and update them frequently.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x

Warning: Undefined variable $posts in /home/thetechherald/public_html/wp-content/themes/generatepress_child/functions.php on line 309

Warning: Trying to access array offset on value of type null in /home/thetechherald/public_html/wp-content/themes/generatepress_child/functions.php on line 309

Warning: Attempt to read property "post_author" on null in /home/thetechherald/public_html/wp-content/themes/generatepress_child/functions.php on line 309