OptinMonster 2.6.5 Patches Multiple Security Vulnerabilities

OptinMonster 2.6.5 Patches Multiple Security Vulnerabilities

Posted by WP Tavern on October 28, 2021 at 11:29 am
kitty kitty CATegory News
In late September, Chloe Chamberland, a researcher at Wordfence, discovered multiple security vulnerabilities in the OptinMonster plugin, which could allow unauthenticated attackers to export sensitive information and inject malicious JavaScript into vulnerable sites. The OptinMonster team promptly patched the plugin and updated the plugin again after more feedback from the Wordfence team. Version 2.6.5 was released on October 7, 2021, to address these issues. OptinMonster is used on more than 1 million WordPress sites to create popup campaigns, email subscription forms, sticky announcement bars, and gamified spin-a-wheel opt-in forms. The plugin relies heavily on the use of WP REST API endpoints. Chamberland identified the majority of these endpoints as “insecurely implemented:” The most critical of the REST-API endpoints was the /wp-json/omapp/v1/support endpoint, which disclosed sensitive data like the site’s full path on the server, along with the API key needed to make requests on the OptinMonster site. With access to the API key, an attacker could make changes to any campaign associated with a site’s connected OptinMonster account and add malicious JavaScript that would execute anytime a campaign was displayed on the exploited site.Worse yet, an attacker did not need to be authenticated to the site in order to access the API…

…Full post on WP Tavern
Read Full

Similar Posts

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments