Vulnerability of WordPress OptinMonster plugin affects +1 million sites

Wordfence WordPress security researchers reported that a flaw in the WordPress OptinMonster plugin was found to allow hackers to download malicious scripts to attack site visitors and lead to full site takeovers. Failure to perform a basic security check exposes over a million sites to potential hacking events.

Wordfence researchers commented:

“… we detailed a flaw in the OptinMonster plugin that allowed a dangerous chain of exploitation that allowed unauthenticated attackers to retrieve sensitive site data and gain unauthorized access to OptinMonster user accounts,” that could be used to add malicious scripts to vulnerable sites. “


Continue reading below

Lack of capacity checking of REST-API endpoints

This vulnerability is not due to the fact that hackers are really smart and find a smart way to exploit a perfectly coded WordPress plugin. Rather the opposite.

According to security researchers at well-known WordPress security company Wordfence, the exploit was due to a failure of the WordPress REST-API implementation in the WordPress OptinMonster plugin which resulted in “insufficient capacity check. “

When properly coded, REST-API is a secure method for extending the functionality of WordPress by allowing plugins and themes to interact with a WordPress site to manage and publish content. It allows a plugin or theme to interact directly with the website’s database without compromising security … if it is correctly coded.


Continue reading below

The WordPress REST-API documentation states:

“… the most important thing to understand about the API is that it enables the modern block editor and plug-in interfaces without compromising the security or privacy of your site.” “

The WordPress REST API is supposed to be secure.

Unfortunately, all websites using OptinMonster have had their security compromised due to the way OptinMonster implemented the WordPress REST API.

Majority of REST-API endpoints are compromised

REST-API endpoints are URLs that represent posts and pages on a WordPress site that a plugin or theme can modify and manipulate.

But according to Wordfence, almost all REST-API endpoints in OptinMonster were poorly coded, compromising website security.

Wordfence commented on how poor OptinMonster’s REST-API implementation is:

“… the majority of REST-API endpoints were not securely implemented, which allowed unauthenticated attackers to gain access to many endpoints on sites running a vulnerable version of the plug-in. in.

… almost all of the other REST-API endpoints registered in the plug-in were vulnerable to permission bypass due to insufficient capability checking allowing unauthenticated visitors, or in some cases authenticated users with minimal permissions, perform unauthorized actions.

Unauthenticated means an attacker who is in no way registered on the attacked website.

Some vulnerabilities require an attacker to be registered as a subscriber or contributor, which makes it a bit more difficult to attack a site, especially if a site does not accept subscriber registrations.


Continue reading below

This vulnerability had no such barrier, no authentication was required to exploit OptinMonster, which is the worst-case scenario compared to authenticated exploits.

Wordfence has warned of the seriousness of an attack on a website using OptinMonster:

“… any unauthenticated attacker could add malicious JavaScript to a site running OptinMonster, which could ultimately lead to site visitors being redirected to external malicious domains and full site support in the event that JavaScript would be added to inject new administrative user accounts or override the plug-in. code with a webshell to access a site through a backdoor.

Recommended action plan

Wordfence notified the editors of OptinMonster and about ten days later released an updated version of OptinMonster that plugged all security holes.


Continue reading below

The most secure version of OptinMonster is version 2.6.5.

Wordfence recommends all OptinMonster users to update their plugin:

“We recommend that WordPress users immediately verify that their site has been updated to the latest patch available, which is version 2.6.5 at the time of this publication. “

WordPress offers best practice documentation for REST-API and claims it is secure technology.

So if these kinds of security issues aren’t supposed to happen, why do they keep happening?

The WordPress best practices documentation for the REST API states:

“… it activates the block editor and modern plug-in interfaces without compromising the security or privacy of your site.” “


Continue reading below

With over a million sites affected by this vulnerability, one has to wonder why, if best practices exist, this type of vulnerability has occurred on the very popular OptinMonster plugin.

While it’s not the fault of WordPress itself, this sort of thing negatively impacts the entire WordPress ecosystem.


Read the report on OptinMonster on Wordfence

1,000,000 sites affected by OptinMonster vulnerabilities

Comments are closed.