Summary

This security flaw in OptinMonster plugin were first discovered by Wordfence on 28^th September 2021. “Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities we discovered in OptinMonster, a WordPress plugin installed on over 1,000,000 sites. These flaws made it possible for an unauthenticated attacker, meaning any site visitor, to export sensitive information and add malicious JavaScript to WordPress sites, among many other actions.” Stated Chloe Chamberland from Wordfence.

OptinMonster is a most used plugin in WordPress which helps to create opt-in forms which enables the owners(site) to convert visitors to subscribers/customers. On October 7^th, 2021, OptinMonster team release the patched version as 2.6.5.

The vulnerability tracked as CVE-2021-39341 under the description Unprotected REST-API to Sensitive Information Disclosure and Unauthorized app.optinmonster.com API access. It’s CVSS Score is 7.2 (High). All the earlier versions from OptinMonster versions 2.6.1 are reported to be vulnerable.

About the attacker, Chamberland said “Any unauthenticated attacker could add malicious JavaScript to a site running OptinMonster, which could ultimately lead to site visitors being redirected to external malicious domains and sites being completely taken over in the event that JavaScript was added to inject new administrative user accounts or overwrite plugin code with a webshell to gain backdoor access to a site.”

Impact

Allow an unauthenticated attacker to export sensitive information and add malicious JavaScript to WordPress sites.

Remediate

Update to the latest version 2.6.5  immediately

Reference

• https://www.wordfence.com/blog/2021/10/1000000-sites-affected-by-optinmonster-vulnerabilities/
• https://therecord.media/wordpress-plugin-bug-lets-attackers-inject-code-into-vulnerable-sites/