WordPress security researchers at Wordfence reported a flaw in the OptinMonster WordPress plugin, allowing hackers to upload malicious scripts that could potentially lead to full site takeovers. Over a million sites are at risk due to a lack of basic security checks.
The Wordfence researchers commented:
"…we detailed a flaw in the OptinMonster plugin that enabled a dangerous exploit chain which made it possible for unauthenticated attackers to retrieve a site’s sensitive data and gain unauthorized access to OptinMonster user accounts, which could be used to add malicious scripts to vulnerable sites.”
Lack of REST-API Endpoint Capability Checking
This vulnerability isn’t due to clever hacking but rather a failure in the plugin’s REST-API implementation, leading to "insufficient capability checking," according to Wordfence. Normally, REST-API securely extends WordPress functionality, allowing plugins and themes to manage and publish content without compromising security—if properly coded.
The WordPress REST-API documentation states:
"…the most important thing to understand about the API is that it enables the block editor and modern plugin interfaces without compromising the security or privacy of your site."
Unfortunately, OptinMonster’s implementation compromised the security of all its users.
Majority of REST-API Endpoints Compromised
REST-API endpoints represent the posts and pages a plugin or theme can manipulate. Wordfence found that almost every REST-API endpoint in OptinMonster was improperly coded, compromising website security.
Wordfence commented on the poor implementation:
"…the majority of the REST-API endpoints were insecurely implemented, making it possible for unauthenticated attackers to access many of the various endpoints on sites running a vulnerable version of the plugin.
… nearly every other REST-API endpoint registered in the plugin was vulnerable to authorization bypass due to insufficient capability checking, allowing unauthenticated visitors, or in some cases authenticated users with minimal permissions, to perform unauthorized actions.”
Unauthenticated attackers, who do not need to be registered with the website, found it easy to exploit OptinMonster. This led to the worst-case scenario where attackers could add malicious JavaScript, resulting in site visitors being redirected to malicious domains or the site being completely taken over.
Recommended Course of Action
Wordfence notified OptinMonster’s publishers, and an updated version addressing the security flaws was released about ten days later. The most secure version is 2.6.5.
Wordfence recommends all OptinMonster users update their plugin:
"We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available, which is version 2.6.5 at the time of this publication.”
While WordPress offers documentation on best practices for REST-API and asserts its security, this vulnerability raises questions about why such issues occur, especially on a highly popular plugin like OptinMonster. Despite not being WordPress’s fault, these vulnerabilities negatively affect the WordPress ecosystem.
Citation
Read the Report About OptinMonster at Wordfence
1,000,000 Sites Affected by OptinMonster Vulnerabilities
