Gaping OptinMonster security hole patched

Vulnerabilities in OptinMonster, an email marketing plugin for WordPress, left more than a million websites open to exploitation, security researchers at Wordfence warn.

Left unaddressed, the flaws make it possible for an unauthenticated attacker to export sensitive information and add malicious JavaScript to vulnerable WordPress sites, among other exploits.

The Wordfence Threat Intelligence team notified developers of the plugin about the problem on September 28. A fully patched edition of OptinMonster, version 2.6.5, was released on October 7.

Wordfence went public with a security advisory detailing its findings on Wednesday (October 27).

Monster-in-the-Middle

OptinMonster is designed to help website owners to generate eCommerce leads and create sales campaigns on WordPress sites. The software that makes heavy use of API endpoints to provide integration.

This feature, security researchers at Wordfence discovered, is something of a weak spot for the technology:

The majority of the REST-API endpoints were insecurely implemented, making it possible for unauthenticated attackers to access many of the various endpoints on sites running a vulnerable version of the plugin.

The most critical of the REST-API endpoints was the /wp-json/omapp/v1/support endpoint, which disclosed sensitive data like the site’s full path on the server, along with the API key needed to make requests on the OptinMonster site.

With access to the API key, an attacker could make changes to any campaign associated with a site’s connected OptinMonster account and add malicious JavaScript that would execute anytime a campaign was displayed on the exploited site.

In addition to the /wp-json/omapp/v1/support endpoint, nearly every other REST-API endpoint registered in the plugin was vulnerable to authorization bypass due to insufficient capability checking, the Wordfence researchers said.

A further flaw made it possible for unauthenticated attackers – in practice any modestly technically miscreant who visited a WordPress site – to compromise the software without any login credentials.


Catch up on the latest WordPress security news


The issue stems from problems with the logged_in_or_has_api_key function.

Fortunately, the “OptinMonster team invalidated all API keys to force site owners to generate new keys in the off chance that a key had been previously compromised” as an added precaution as well as updating the plugin software, according to Wordfence.

According to that latest stats from the WordPress plugin store, nearly a quarter (23.6%) of the one million OptinMonster are running badly outdated builds. The remaining figure accounts for all installations in the 2.6 branch, all of which below 2.6.5 remain insecure.

There no more granular breakdown on the number of sites that have already upgraded to 2.6.5 or the latest 2.6.6 version of OptinMonster - so the exact percentage of vulnerable installs remains unclear.

Any users of OptinMonster are strongly urged to update to the latest, patched version of the plugin (2.6.5 or above) regardless of whatever secondary security protection they might have in order to guard themselves against potential attack.


YOU MAY ALSO LIKE Injection flaws in popular WordPress plugin could expose credentials, allow admin access