OptinMonster 2.6.5 Patches Multiple Security Vulnerabilities

In late September, Chloe Chamberland, a researcher at Wordfence, discovered multiple security vulnerabilities in the OptinMonster plugin, which could allow unauthenticated attackers to export sensitive information and inject malicious JavaScript into vulnerable sites.

The OptinMonster team promptly patched the plugin and updated the plugin again after more feedback from the Wordfence team. Version 2.6.5 was released on October 7, 2021, to address these issues.

OptinMonster is used on more than 1 million WordPress sites to create popup campaigns, email subscription forms, sticky announcement bars, and gamified spin-a-wheel opt-in forms. The plugin relies heavily on the use of WP REST API endpoints. Chamberland identified the majority of these endpoints as “insecurely implemented:”

The most critical of the REST-API endpoints was the /wp-json/omapp/v1/support endpoint, which disclosed sensitive data like the site’s full path on the server, along with the API key needed to make requests on the OptinMonster site. With access to the API key, an attacker could make changes to any campaign associated with a site’s connected OptinMonster account and add malicious JavaScript that would execute anytime a campaign was displayed on the exploited site.Worse yet, an attacker did not need to be authenticated to the site in order to access the API endpoint

Chamberland described how any unauthenticated attacker could add malicious JavaScript to vulnerable OptinMonster sites and redirect visitors to external malicious domains, or create the opportunity for site takeover using JavaScript to inject new admin user accounts.

As a precaution, OptinMonster has invalidated all API keys, forcing administrators to generate new ones, in case any keys had been previously compromised. There are no sites known to have been exploited at this time, but the vulnerabilities are now public. Site owners are advised to update to the latest version of the plugin as soon as possible.




Leave a Comment

Your email address will not be published.

Table of Contents

On Key

Related Posts

Best Google Maps Plugins for WordPress

Before we start looking at any plugins, it’s good to review the way Google Maps work. There are several components in the Google Maps API family, all of which can be found on the Google Maps API Family page. When working with WordPress, we are mainly interested in two of these APIs: Static Maps APIMaps

How to Get a Custom Field Value via Shortcode

Sometimes we want to make it easy for site administrators to include the value of a custom field (maybe created as part of a custom meta box) into a post. An ideal solution to this challenge is to use shortcodes. You can either do this through these two plugins: Get Custom Field Values Custom Fields

Best Auto Translation Plugins for WordPress

Having the content of your website available in different languages can mean a much bigger audience for you. A very simple way to do this is to provide automatic translators, they’re not the same as manually translating all your content, but do a pretty good job. It’s better to have an automatic translation plugin than

Best WordPress Multilanguage Plugins

The two main contenders as best multilanguage plugins for WordPress are WPML and QTranslate. If you want a quick answer to which one comes out on top, I would say go for WPML. If you have enough time to give them a test drive, by all means, do so and judge for yourself which one