A popular WordPress plugin named OptinMonster is affected by a high-severity flaw that allows unauthorized API access and sensitive information disclosure on around a million WordPress sites.
The vulnerability dubbed as CVE-2021-39341, was discovered by researcher Chloe Chamberland on September 28, 2021, and a patch was available on October 7, 2021.
All users of the OptinMonster plugin are recommended to upgrade to version 2.6.5 or later, as all earlier versions are affected.
OptinMonster, one of the most popular WordPress plugins is used to create beautiful opt-in forms that help site owners convert visitors to subscribers/customers.
It is essentially a lead generator and monetization tool, with numerous and easy to use features and is deployed on approximately a million sites.
Chamberland stated in her vulnerability disclosure report that OptinMonster’s power relies upon API endpoints that allow seamless integration and a streamlined design process.
However, the implementation of these endpoints is not always secure, and the most critical example concerns the ‘/wp-json/omapp/v1/support’ endpoint.
This endpoint can disclose data such as the site’s full path on the server, API keys used for requests on the site, and more.
The site would execute this code every time an OptinMonster element was activated by a visitor without anyone’s knowledge.
The attacker does not even have to authenticate on the targeted site to access the API endpoint, as an HTTP request would bypass security checks under certain, easy to meet conditions.
While the case of the ‘/wp-json/omapp/v1/support’ endpoint is the worse, it is not the only insecure REST-API endpoint vulnerable to exploitation.
The site owners must try to use minimum number of plugins to cover the necessary functionality and usability and apply plugin updates at the earliest.