Vulnerabilities in OptinMonster, a WordPress email marketing plugin, exposed more than a million websites to exploitation. According to Wordfence security researchers.
If the flaws aren’t fixed, an unauthenticated attacker will be able to export sensitive data. And inject malicious JavaScript into vulnerable WordPress sites, among other things.
The Wordfence Threat Intelligence team notified the plugin’s developers of the problem on September 28. OptinMonster 2.6.5, a fully patched edition was released on October 7.
Wordfence issued a security advisory outlining its findings on Wednesday (October 27).
OptinMonster is a WordPress plugin that assists website owners in generating eCommerce leads and creating sales campaigns. For integration, the software heavily relies on API endpoints.
Wordfence security researchers discovered a weakness in the technology with this feature:
The majority of the REST-API endpoints insecurely implemented. Making it possible for unauthenticated attackers to access many of the various endpoints on sites running a vulnerable version of the plugin.
The most critical of the REST-API endpoints was the /wp-json/omapp/v1/support endpoint, which disclosed sensitive data like the site’s full path on the server, along with the API key needed to make requests on the OptinMonster site.
With access to the API key, an attacker could make changes to any campaign associated with a site’s connected OptinMonster account. And add malicious JavaScript that would execute anytime a campaign displayed on the exploited site.
More from Wordfence
According to the Wordfence researchers, nearly every other REST-API endpoint registered in the plugin was vulnerabilities to authorization bypass due to insufficient capability checking, including the /wp-json/omapp/v1/support endpoint.
Another flaw allowed unauthenticated attackers – in practice, any technically illiterate visitor to a WordPress site – to compromise the software without requiring any login credentials.
The problem stems from issues with thelogged_in_or_has_api_key function.
As an added precaution, the “OptinMonster team invalidated all API keys to force site owners to generate new keys in the off chance. That a key previously compromised,” according to Wordfence. The plugin software also updated.
According to the most recent WordPress plugin store statistics, nearly a quarter of OptinMonster’s one million users (23.6 percent) are using outdated builds. Also, the remaining figure represents all 2.6 branch installations, which are all insecure below 2.6.5.
The exact percentage of vulnerabilities installs is unknown because there is no more granular breakdown of the number of sites. That have already upgraded to 2.6.5 or the most recent 2.6.6 version of OptinMonster.
Moreover, users of OptinMonster strongly advised to update to the most recent, patched version of the plugin (2.6.5 or higher). Regardless of any secondary security protection they may have, in order to protect themselves from potential attacks.
You may also like:
Leave A Comment