The OptinMonster plugin is affected by a high-severity flaw that allows unauthorized API access and sensitive information disclosure on roughly a million WordPress sites.
Tracked as CVE-2021-39341, the flaw was discovered by researcher Chloe Chamberland on September 28, 2021, with a patch becoming available on October 7, 2021.
All users of the OptinMonster plugin are advised to upgrade to version 2.6.5 or later, as all earlier versions are affected.
OptinMonster is one of the most popular WordPress plugins used to create beautiful opt-in forms that help site owners convert visitors to subscribers/customers.
It is essentially a lead generator and monetization tool, and thanks to its ease of use and abundance of features, it’s deployed on approximately a million sites.
As Chamberland explains in her vulnerability disclosure report, OptinMonster’s power relies upon API endpoints that allow seamless integration and a streamlined design process. Excerpt from Bill Toulas at Bleeping Computer
Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on September 28, 2021. Sites still using the free version of Wordfence will receive the same protection on October 28, 2021.
We sent the full disclosure details to OptinMonster on September 28, 2021, after confirming the appropriate channel to handle communications.The OptinMonster team quickly acknowledged the report by releasing a patch the next day. We followed up to let them know some improvements were needed on the patch and a fully patched version was released as 2.6.5 on October 7, 2021.
We strongly recommend validating that your site has been updated to the latest patched version of OptinMonster which is 2.6.5 at the time of this publication.
Affected Plugin: OptinMonster
Plugin Slug: optinmonster
Affected Versions: <= 2.6.4
CVE ID: CVE-2021-39341
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Chloe Chamberland
Fully Patched Version: 2.6.5
OptinMonster is an incredibly intuitive and easy to use plugin designed to create sales campaigns on WordPress sites through the use of dialogs. The vast majority of the plugin’s functionality as well as the OptinMonster app site rely on the use of API endpoints to allow seamless integration and a streamlined design process.
Unfortunately, the majority of the REST-API endpoints were insecurely implemented, making it possible for unauthenticated attackers to access many of the various endpoints on sites running a vulnerable version of the plugin.
The most critical of the REST-API endpoints was the
Worse yet, an attacker did not need to be authenticated to the site in order to access the API endpoint due to the functionality implemented within the
logged_in_or_has_api_key function used as the
permissions_callback. For instance, if a request to an API endpoint had the
Referer header set to
https://wp.app.optinmonster.test and the HTTP request type set to OPTIONS then the function would return `true` thereby passing the capability check. An attacker could simply meet these requirements and set the
X-HTTP-Method-Override HTTP header to the method required for the REST-API endpoint, such as GET or POST, to successfully make the request.
Fortunately, the OptinMonster team invalidated all API keys to force site owners to generate new keys in the off chance that a key had been previously compromised, and implemented restrictions that inhibited API keys associated with WordPress sites from being able to make campaign changes using the OptinMonster app which prevents successful exploitation of this vulnerability chain.
Not the Only Endpoint Affected
In addition to the
/wp-json/omapp/v1/support endpoint, nearly every other REST-API endpoint registered in the plugin was vulnerable to authorization bypass due to insufficient capability checking allowing unauthenticated visitors, or in some cases authenticated users with minimal permissions, to perform unauthorized actions. Attackers could do things like change settings, view campaign data, enable/disable debug mode, and more.
September 28, 2021 6:07 PM UTC – Conclusion of the plugin analysis that led to the discovery of multiple vulnerabilities in the OptinMonster WordPress plugin. We develop a firewall rule to protect Wordfence customers and release it to Wordfence Premium users.
September 28, 2021 6:12 PM UTC – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
September 28, 2021 6:19 PM UTC – The vendor confirms the inbox for handling the discussion.
September 28, 2021 7:06 PM UTC – We send over the full disclosure details.
September 29, 2021 7:48 AM UTC – The first version of an update is released. We follow up to provide them with additional recommendations.
October 7, 2021 – A fully patched version of the plugin, 2.6.5, is released.
October 28, 2021 – Wordfence free users receive the firewall rule.
In today’s post, we detailed a flaw in the OptinMonster plugin that enabled a dangerous exploit chain which made it possible for unauthenticated attackers to retrieve a site’s sensitive data and gain unauthorized access to OptinMonster user accounts, which could be used to add malicious scripts to vulnerable sites. These flaws have been fully patched in version 2.6.5.
We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available, which is version 2.6.5 at the time of this publication.
Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on September 28, 2021. Sites still using the free version of Wordfence will receive the same protection on October 28, 2021.
If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as these are serious vulnerabilities that can lead to complete site takeover.