1,000,000 Sites Affected by OptinMonster Vulnerabilities

The OptinMonster plugin is affected by a high-severity flaw that allows unauthorized API access and sensitive information disclosure on roughly a million WordPress sites.

Tracked as CVE-2021-39341, the flaw was discovered by researcher Chloe Chamberland on September 28, 2021, with a patch becoming available on October 7, 2021.

All users of the OptinMonster plugin are advised to upgrade to version 2.6.5 or later, as all earlier versions are affected.

API trouble

OptinMonster is one of the most popular WordPress plugins used to create beautiful opt-in forms that help site owners convert visitors to subscribers/customers.

It is essentially a lead generator and monetization tool, and thanks to its ease of use and abundance of features, it’s deployed on approximately a million sites.

As Chamberland explains in her vulnerability disclosure report, OptinMonster’s power relies upon API endpoints that allow seamless integration and a streamlined design process. Excerpt from Bill Toulas at Bleeping Computer

From Wordfence:
On September 28, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities we discovered in OptinMonster, a WordPress plugin installed on over 1,000,000 sites. These flaws made it possible for an unauthenticated attacker, meaning any site visitor, to export sensitive information and add malicious JavaScript to WordPress sites, among many other actions.

Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on September 28, 2021. Sites still using the free version of Wordfence will receive the same protection on October 28, 2021.

We sent the full disclosure details to OptinMonster on September 28, 2021, after confirming the appropriate channel to handle communications.The OptinMonster team quickly acknowledged the report by releasing a patch the next day. We followed up to let them know some improvements were needed on the patch and a fully patched version was released as 2.6.5 on October 7, 2021.

We strongly recommend validating that your site has been updated to the latest patched version of OptinMonster which is 2.6.5 at the time of this publication.

Description: Unprotected REST-API to Sensitive Information Disclosure and Unauthorized app.optinmonster.com API access
Affected Plugin: OptinMonster
Plugin Slug: optinmonster
Affected Versions: <= 2.6.4
CVE ID: CVE-2021-39341
CVSS Score: 7.2 (High)
Researcher/s: Chloe Chamberland
Fully Patched Version: 2.6.5

OptinMonster is an incredibly intuitive and easy to use plugin designed to create sales campaigns on WordPress sites through the use of dialogs. The vast majority of the plugin’s functionality as well as the OptinMonster app site rely on the use of API endpoints to allow seamless integration and a streamlined design process.

Unfortunately, the majority of the REST-API endpoints were insecurely implemented, making it possible for unauthenticated attackers to access many of the various endpoints on sites running a vulnerable version of the plugin.

The most critical of the REST-API endpoints was the /wp-json/omapp/v1/support endpoint, which disclosed sensitive data like the site’s full path on the server, along with the API key needed to make requests on the OptinMonster site. With access to the API key, an attacker could make changes to any campaign associated with a site’s connected OptinMonster account and add malicious JavaScript that would execute anytime a campaign was displayed on the exploited site.

Worse yet, an attacker did not need to be authenticated to the site in order to access the API endpoint due to the functionality implemented within the logged_in_or_has_api_key function used as the permissions_callback. For instance, if a request to an API endpoint had the Referer header set to https://wp.app.optinmonster.test and the HTTP request type set to OPTIONS then the function would return `true` thereby passing the capability check. An attacker could simply meet these requirements and set the X-HTTP-Method-Override HTTP header to the method required for the REST-API endpoint, such as GET or POST, to successfully make the request.

public function logged_in_or_has_api_key( $request ) {
    if (
        ! empty( $_SERVER['HTTP_REFERER'] )
        && false !== strpos( $_SERVER['HTTP_REFERER'], 'https://wp.app.optinmonster.test' )
    ) {
        return true;
    return is_user_logged_in() || true === $this->has_valid_api_key( $request );

This meant that any unauthenticated attacker could add malicious JavaScript to a site running OptinMonster, which could ultimately lead to site visitors being redirected to external malicious domains and sites being completely taken over in the event that JavaScript was added to inject new administrative user accounts or overwrite plugin code with a webshell to gain backdoor access to a site.

Fortunately, the OptinMonster team invalidated all API keys to force site owners to generate new keys in the off chance that a key had been previously compromised, and implemented restrictions that inhibited API keys associated with WordPress sites from being able to make campaign changes using the OptinMonster app which prevents successful exploitation of this vulnerability chain.

Not the Only Endpoint Affected
In addition to the /wp-json/omapp/v1/support endpoint, nearly every other REST-API endpoint registered in the plugin was vulnerable to authorization bypass due to insufficient capability checking allowing unauthenticated visitors, or in some cases authenticated users with minimal permissions, to perform unauthorized actions. Attackers could do things like change settings, view campaign data, enable/disable debug mode, and more.

Disclosure Timeline

September 28, 2021 6:07 PM UTC – Conclusion of the plugin analysis that led to the discovery of multiple vulnerabilities in the OptinMonster WordPress plugin. We develop a firewall rule to protect Wordfence customers and release it to Wordfence Premium users.
September 28, 2021 6:12 PM UTC – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
September 28, 2021 6:19 PM UTC – The vendor confirms the inbox for handling the discussion.
September 28, 2021 7:06 PM UTC – We send over the full disclosure details.
September 29, 2021 7:48 AM UTC – The first version of an update is released. We follow up to provide them with additional recommendations.
October 7, 2021 – A fully patched version of the plugin, 2.6.5, is released.
October 28, 2021 – Wordfence free users receive the firewall rule.


In today’s post, we detailed a flaw in the OptinMonster plugin that enabled a dangerous exploit chain which made it possible for unauthenticated attackers to retrieve a site’s sensitive data and gain unauthorized access to OptinMonster user accounts, which could be used to add malicious scripts to vulnerable sites. These flaws have been fully patched in version 2.6.5.

We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available, which is version 2.6.5 at the time of this publication.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on September 28, 2021. Sites still using the free version of Wordfence will receive the same protection on October 28, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as these are serious vulnerabilities that can lead to complete site takeover.

Leave a Reply

WEB DESIGN, GRAPHIC DESIGN, WEB HOSTING kimtown offers Website Design, Splash Page Design, Shopping Cart Design, E-commerce Design, Blog Design, Web Hosting, for all kinds of small, medium and large sized businesses. Designs for Photographers, designs for Artists, designs for Seamstresses, designs for Builders, designs for Architects and so much more! Logo Design, Business Card Design, Brochure Design, Mailing Designs and any other print media work you need. Social media design, branding, sublimation design, custom embroidery digitizing and design for all business types out of Jacksonville Florida but serving the United States and most countries, worldwide. 

Join my list:

Don’t miss a thing! Sign up here!

DISCLAIMER: kimtown participates in affiliate marketing and may receive commissions when you click our links and purchase from them. This does not cost you extra and does not, in any way, change or impact our reviews and recommendations. We use these small commissions to help keep much of our content free. kimtown offers a wide variety of services including web design, splash pages, blogs, blog+sites, client sites, machform, facebook design and customization, client site login customization for photographers and small businesses.
HTML Websites for Photographers, Web Design, Splash Pages, Wordpress Blogs, Splash Page Design + Commercial Photography. kimtown Web Site Design, Custom HTML Sites, Web Design, Splash Pages, Forums, Blog Design, Installation, Blog Headers, Splash Page Editor. kimtown offers custom and template splash page design to clients around the world.

© 2006-2021 kimtown | All rights reserved.

Add to cart
%d bloggers like this: