In late September, Chloe Chamberland, a researcher at Wordfence, discovered multiple security vulnerabilities in the OptinMonster plugin, which could allow unauthenticated attackers to export sensitive information and inject malicious JavaScript into vulnerable sites.
The OptinMonster team promptly patched the plugin and updated the plugin again after more feedback from the Wordfence team. Version 2.6.5 was released on October 7, 2021, to address these issues.
OptinMonster is used on more than 1 million WordPress sites to create popup campaigns, email subscription forms, sticky announcement bars, and gamified spin-a-wheel opt-in forms. The plugin relies heavily on the use of WP REST API endpoints. Chamberland identified the majority of these endpoints as “insecurely implemented:”
The most critical of the REST-API endpoints was the
/wp-json/omapp/v1/support
endpoint, which disclosed sensitive data like the site’s full path on the server, along with the API key needed to make requests on the OptinMonster site. With access to the API key, an attacker could make changes to any campaign associated with a site’s connected OptinMonster account and add malicious JavaScript that would execute anytime a campaign was displayed on the exploited site.Worse yet, an attacker did not need to be authenticated to the site in order to access the API endpoint
Chamberland described how any unauthenticated attacker could add malicious JavaScript to vulnerable OptinMonster sites and redirect visitors to external malicious domains, or create the opportunity for site takeover using JavaScript to inject new admin user accounts.
As a precaution, OptinMonster has invalidated all API keys, forcing administrators to generate new ones, in case any keys had been previously compromised. There are no sites known to have been exploited at this time, but the vulnerabilities are now public. Site owners are advised to update to the latest version of the plugin as soon as possible.