Tuesday, May 13, 2025
HomeVulnerability1,000,000 WordPress Websites Affected with OptinMonster Vulnerabilities

1,000,000 WordPress Websites Affected with OptinMonster Vulnerabilities

Published on

SIEM as a Service

Follow Us on Google News

Multiple vulnerabilities were discovered recently by the Wordfence Threat Intelligence team in OptinMonster, it’s a popular WordPress plugin that is already installed on more than 1,000,000 WordPress Websites.

The vulnerabilities identified in OptinMonster allow an attacker to export sensitive data, put malicious JavaScript onto the vulnerable WordPress sites, and do many other actions remotely.

In short, these multiple vulnerabilities allow unauthorized API access to sensitive data on more than a million websites on the platform.

- Advertisement - Google News

Flaw profile

On September 28, the primary flaw is tracked as CVE-2021-39341, which was discovered by researcher Chloe Chamberland, and a fix was made available on October 7 in version 2.6.5 of the plugin.

While here below we have mentioned the flaw profile with all the key details:-

  • CVE ID: CVE-2021-39341
  • Affected Plugin: OptinMonster
  • Description: Unprotected REST-API to Sensitive Information Disclosure and Unauthorized app.optinmonster.com API access
  • Plugin Slug: optinmonster
  • CVSS Score: 7.2 (High)
  • Affected Versions: <= 2.6.4
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
  • Fully Patched Version: 2.6.5

API issue

OptinMonster makes use of APIs for the full functioning of its integration with other services since it helps site owners convert visitors to subscribers/customers through beautiful opt-in forms.

API allows the creation of platforms in a more manageable and more practical way for the developers. So, the implementation of these assemblies in OptionMonster is not always reliable.

If there is a critical flaw in the process then it can expose the sensitive data to the operators without any authorization like:-

  • API keys
  • Path of communicating servers

On the OptinMonster accounts, an attacker having the API key can make changes and also establish malicious JavaScript snippets on the vulnerable websites. 

Even all the REST-API endpoints that are registered in the plugin was vulnerable to authorization bypass flaw. However, among them, the /wp-json/omapp/v1/support’ endpoint s the worse one.

Here, to access the API endpoint the threat actors didn’t have to authenticate on the targeted website, the HTTP request made by the attacker will evade all the security checks, and this makes the situation more volatile.

However, the developers of OptinMonster have already invalidated all the API keys that are assumed to be stolen, and they have forced all the website owners to generate the new keys.

Apart from this, all the vulnerable website owners were recommended by the security analysts of the Wordfence Threat Intelligence team to immediately update their old version of OptinMonster with the latest version 2.6.5.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

VMware Tools Vulnerability Allows Attackers to Modify Files and Launch Malicious Operations

Broadcom-owned VMware has released security patches addressing a moderate severity insecure file handling vulnerability...

Mitel SIP Phone Flaws Allow Attackers to Inject Malicious Commands

A pair of vulnerabilities in Mitel’s 6800 Series, 6900 Series, and 6900w Series SIP...

PoC Code Published for Linux nftables Security Vulnerability

Security researchers have published proof-of-concept (PoC) exploit code for CVE-2024-26809, a high-severity double-free vulnerability in...