Thursday, March 28, 2024

1,000,000 WordPress Websites Affected with OptinMonster Vulnerabilities

Multiple vulnerabilities were discovered recently by the Wordfence Threat Intelligence team in OptinMonster, it’s a popular WordPress plugin that is already installed on more than 1,000,000 WordPress Websites.

The vulnerabilities identified in OptinMonster allow an attacker to export sensitive data, put malicious JavaScript onto the vulnerable WordPress sites, and do many other actions remotely.

In short, these multiple vulnerabilities allow unauthorized API access to sensitive data on more than a million websites on the platform.

Flaw profile

On September 28, the primary flaw is tracked as CVE-2021-39341, which was discovered by researcher Chloe Chamberland, and a fix was made available on October 7 in version 2.6.5 of the plugin.

While here below we have mentioned the flaw profile with all the key details:-

  • CVE ID: CVE-2021-39341
  • Affected Plugin: OptinMonster
  • Description: Unprotected REST-API to Sensitive Information Disclosure and Unauthorized app.optinmonster.com API access
  • Plugin Slug: optinmonster
  • CVSS Score: 7.2 (High)
  • Affected Versions: <= 2.6.4
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
  • Fully Patched Version: 2.6.5

API issue

OptinMonster makes use of APIs for the full functioning of its integration with other services since it helps site owners convert visitors to subscribers/customers through beautiful opt-in forms.

API allows the creation of platforms in a more manageable and more practical way for the developers. So, the implementation of these assemblies in OptionMonster is not always reliable.

If there is a critical flaw in the process then it can expose the sensitive data to the operators without any authorization like:-

  • API keys
  • Path of communicating servers

On the OptinMonster accounts, an attacker having the API key can make changes and also establish malicious JavaScript snippets on the vulnerable websites. 

Even all the REST-API endpoints that are registered in the plugin was vulnerable to authorization bypass flaw. However, among them, the /wp-json/omapp/v1/support’ endpoint s the worse one.

Here, to access the API endpoint the threat actors didn’t have to authenticate on the targeted website, the HTTP request made by the attacker will evade all the security checks, and this makes the situation more volatile.

However, the developers of OptinMonster have already invalidated all the API keys that are assumed to be stolen, and they have forced all the website owners to generate the new keys.

Apart from this, all the vulnerable website owners were recommended by the security analysts of the Wordfence Threat Intelligence team to immediately update their old version of OptinMonster with the latest version 2.6.5.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.

Website

Latest articles

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles