A serious information disclosure bug existed in the WordPress plugin OptinMonster. Exploiting the vulnerability could allow an adversary to infect target websites with malicious codes, access APIs, and export data. Given the huge number of plugin downloads, the vulnerability risked more than a million websites globally.
OptinMonster Plugin Bug
Team Wordfence has shared details about a high-severity flaw in the OptinMonster plugin. It is a dedicated WordPress plugin for site marketing and building popups. The plugin page boasts over 1 million downloads, hinting the potential severity of the plugin flaw in case of an exploit.
As elaborated in their blog post, the researchers found the majority of the plugin’s REST API endpoints vulnerable to unauthenticated attackers. The most severe of them all was the /wp-json/omapp/v1/support endpoint that exposed sensitive data as well as the API key required to make requests. Hence, an adversary could abuse the key to maliciously modify the target website with JavaScript codes – that too, without authentication.
Explaining the impact of a possible exploit, Wordfence stated,
Any unauthenticated attacker could add malicious JavaScript to a site running OptinMonster, which could ultimately lead to site visitors being redirected to external malicious domains and sites being completely taken over in the event that JavaScript was added to inject new administrative user accounts or overwrite plugin code with a webshell to gain backdoor access to a site.
Developers Fixed The Bug
Following this discovery, Wordfence reached out to the plugin developers to report the flaw. Appreciably, the developers responded swiftly to address the matter.
And on October 7, 2021, the developers rolled out the fix with the plugin version 2.6.5.
Nonetheless, that’s not the last update at the moment since the authors have also released the version 2.6.6. As visible through the changelog, this update also addresses numerous bugs.
Therefore, to remain safe from potential security threats and glitches, all WordPress admins should ensure updating their sites with the latest plugin version.
Let us know your thoughts in the comments.