A simple, effective, and powerful plugin is also vulnerable to a severe exploit that allows malicious redirects and data extraction. About a million WordPress websites are at risk owing to the OptinMonster plugin.
All WordPress website administrators should immediately update the OptinMonster plugin to the latest version available. Until the update is installed, the plugin remains vulnerable to a high-severity flaw, tagged CVE-2021-39341. It allows unauthorized API access and sensitive information disclosure.
OptinMonster has severe security vulnerability putting a million WordPress sites at risk, but a patch is available:
OptinMonster is one of the popular WordPress plugins. Website developers often use the same to create appealing opt-in forms. The plugin essentially helps site owners convert visitors to subscribers/customers.
The creators of OptinMonster indicate the plugin is a reliable lead generator and monetization tool. The plugin reportedly has several features, but the focus is on ease of use. According to some estimates, close to a million WordPress sites regularly rely on the OptinMonster plugin.
The OptinMonster plugin is affected by a high-severity flaw that allows unauthorized API access and sensitive information disclosure on roughly a million WordPress sites.#cybersecurityhttps://t.co/DchSylrszN
— CyberTzar (@cybertzar) October 29, 2021
As per the vulnerability disclosure report, OptinMonster’s power relies upon API endpoints that allow seamless integration and a streamlined design process.
The implementation of these endpoints, however, is open, unsecure, or vulnerable. The report cites ‘/wp-json/omapp/v1/support’ endpoint as an ideal example.
This particular endpoint can reportedly disclose data, including the WordPress site’s full path on the server, API keys it uses for requests on the site, and a lot more.
Severe vulnerability can put every visitor to a WordPress site using this plugin, at risk:
Concerningly, an attacker holding the API key could make arbitrary changes on the OptinMonster accounts. Additionally, attackers could also plant malicious JavaScript snippets. Needless to mention, this would mean any visitor to the website could be a potential victim.
The WordPress site would automatically execute the malicious code every time an unsuspecting visitor accessed the OptinMonster element. This execution would be silent and the admin would not become aware of the same.
Incidentally, the developers of the plugin acknowledged the entire API needed to be tweaked. Accordingly, the team has been developing multiple updates after they received the security vulnerability report.
『it possible for an unauthenticated attacker, meaning any site visitor, to export sensitive information and add malicious JavaScript to WordPress sites, among many other actions.』😨
CVE-2021-39341
1,000,000 Sites Affected by OptinMonster Vulnerabilitieshttps://t.co/N3HHdxrpzY pic.twitter.com/h8rZJ6jfGI— Autumn Good (@autumn_good_35) October 27, 2021
It is not clear which updates address the security bug, but version 2.6.5 and above should have the necessary patches. As a precautionary measure, the team has invalidated all API keys which might have ended up in unauthorized hands. As a result, affected WordPress site owners would have had to generate new keys.
In light of the discovery, several security experts are warning site owners to conduct an audit about the plugins they use. As a safety precaution, always use the bare minimum plugins, and update them frequently.