A high-severity issue in the OptinMonster plugin permits unauthorised API access and sensitive information leak on around a million WordPress sites.
The flaw, identified as CVE-2021-39341, was found by researcher Chloe Chamberland on September 28, 2021, and a fix was made available on October 7, 2021.
All OptinMonster plugin users are recommended to upgrade to version 2.6.5 or later, as all previous versions are impacted.
OptinMonster is a popular WordPress plugin for creating stunning opt-in forms that assist site owners in converting visitors to subscribers/customers.
It is primarily a lead generation and monetization tool, and it is used on roughly a million websites because of its ease of use and variety of features.
According to Chamberland's vulnerability disclosure report, OptinMonster's power is based on API endpoints that provide easy integration and a streamlined design process.
However, the execution of these endpoints isn't always safe, with the '/wp-json/omapp/v1/support' endpoint being the most crucial example.
This endpoint can provide information such as the site's entire route on the server, API keys used for site requests, and more.
An attacker with access to the API key could make modifications to the OptinMonster accounts or even inject malicious JavaScript snippets into the site.
Without anyone's knowledge, the site would run this code every time a visitor activated an OptinMonster element.
To make circumstances terrible, the intruder would not even need to authenticate on the targeted site in order to use the API endpoint, since an HTTP request would circumvent security checks under certain, simple conditions.
While the '/wp-json/omapp/v1/support' endpoint is the worst-case scenario, it is not the only insecure REST-API endpoint that may be exploited.
When the researcher's findings reached the OptinMonster team, the popular WordPress plugin's developers understood that the entire API needed to be revisited.
As a result, all OptinMonster upgrades that appear on the WordPress dashboard in the next weeks must be installed, as they will most likely resolve further API issues.
Meanwhile, any API keys that may have been stolen were instantly invalidated, forcing site owners to produce new keys.
This case demonstrates how widely deployed and popular WordPress plugins can harbour several undetected flaws over extended periods.