A security flaw has been found in a WordPress plugin called “OptinMonster”, which is installed on over a million websites, allowing attackers to inject malicious code into vulnerable sites.
This vulnerability has been tracked as CVE-2021-39341.
This vulnerability was discovered by Wordfence, a provider of web firewalls for WordPress sites, and a plugin that integrates OptinMonster’s platform within a WordPress site. Affected.
These vulnerabilities allowed an unauthenticated attacker, or site visitor, to export sensitive information or add malicious JavaScript to a WordPress site!
Chloe Chamberland, a security researcher at Wordfence
According to the technical report released this time, it is due to a coding flaw.
That is, he explains that he was opening up many of the OptinMonster API endpoints to commands via the site where the Ch plugin was installed.
Chamberland said the attackers were able to query these API endpoints and obtain detailed information about the site, including the OptinMonster API key, which they used to make changes to the site’s OptinMonster marketing and sales campaign. The attackers were able to use this API key to make changes to the site’s OptinMonster marketing and sales campaigns, and to add their own malicious code to the pop-ups that the plugin was displaying to site visitors.
When the Wordfence team reported this issue to OptinMonster in late September, the company released a temporary patch a day later and a full patch through the OptinMonster 2.6.5 release on October 7.
In addition, since it is unclear if this issue has been exploited before, OptinMonster recommends that users disable all API keys and generate new ones.
Wordfence has made this issue public to allow over a million users time to update their sites before a major exploit of this issue begins.
Comments