A serious information disclosure bug existed in the WordPress plugin OptinMonster. Exploiting the vulnerability could allow an adversary to infect target websites with malicious codes, access APIs, and export data. Given the huge number of plugin downloads, the vulnerability risked more than a million websites globally.
OptinMonster Plugin Bug
Team Wordfence has shared details about a high-severity flaw in the OptinMonster plugin. It is a dedicated WordPress plugin for site marketing and building popups. The plugin page boasts over 1 million downloads, hinting the potential severity of the plugin flaw in case of an exploit.
As elaborated in their blog post, the researchers found the majority of the plugin’s REST API endpoints vulnerable to unauthenticated attackers. The most severe of them all was the
Explaining the impact of a possible exploit, Wordfence stated,
Developers Fixed The Bug
Following this discovery, Wordfence reached out to the plugin developers to report the flaw. Appreciably, the developers responded swiftly to address the matter.
And on October 7, 2021, the developers rolled out the fix with the plugin version 2.6.5.
Nonetheless, that’s not the last update at the moment since the authors have also released the version 2.6.6. As visible through the changelog, this update also addresses numerous bugs.
Therefore, to remain safe from potential security threats and glitches, all WordPress admins should ensure updating their sites with the latest plugin version.
Let us know your thoughts in the comments.