• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

CUSTOMER COMMENTARY

News About Finding & Keeping Customers

CUSTOMER COMMENTARY

News on Finding & Keeping Customers

  • HOME
  • CALL TRACKING
  • COMMUNICATIONS
  • EMAIL
  • MARKETING TECHNOLOGY
  • SOCIAL MEDIA
  • ABOUT/CONTACT

WordPress plugin vulnerability opened up one million sites to remote takeover

October 28, 2021 by Staff Reporter

John Leyden

28 October 2021 at 15:14 UTC

Updated: 28 October 2021 at 15:15 UTC

Gaping OptinMonster security hole patched

Vulnerabilities in OptinMonster, an email marketing plugin for WordPress, left more than a million websites open to exploitation, security researchers at Wordfence warn.

Left unaddressed, the flaws make it possible for an unauthenticated attacker to export sensitive information and add malicious JavaScript to vulnerable WordPress sites, among other exploits.

The Wordfence Threat Intelligence team notified developers of the plugin about the problem on September 28. A fully patched edition of OptinMonster, version 2.6.5, was released on October 7.

Wordfence went public with a security advisory detailing its findings on Wednesday (October 27).

Monster-in-the-Middle

OptinMonster is designed to help website owners to generate eCommerce leads and create sales campaigns on WordPress sites. The software that makes heavy use of API endpoints to provide integration.

This feature, security researchers at Wordfence discovered, is something of a weak spot for the technology:

The majority of the REST-API endpoints were insecurely implemented, making it possible for unauthenticated attackers to access many of the various endpoints on sites running a vulnerable version of the plugin.

The most critical of the REST-API endpoints was the /wp-json/omapp/v1/support endpoint, which disclosed sensitive data like the site’s full path on the server, along with the API key needed to make requests on the OptinMonster site.

With access to the API key, an attacker could make changes to any campaign associated with a site’s connected OptinMonster account and add malicious JavaScript that would execute anytime a campaign was displayed on the exploited site.

In addition to the /wp-json/omapp/v1/support endpoint, nearly every other REST-API endpoint registered in the plugin was vulnerable to authorization bypass due to insufficient capability checking, the Wordfence researchers said.

A further flaw made it possible for unauthenticated attackers – in practice any modestly technically miscreant who visited a WordPress site – to compromise the software without any login credentials.

Catch up on the latest WordPress security news

The issue stems from problems with the logged_in_or_has_api_key function.

Fortunately, the “OptinMonster team invalidated all API keys to force site owners to generate new keys in the off chance that a key had been previously compromised” as an added precaution as well as updating the plugin software, according to Wordfence.

According to that latest stats from the WordPress plugin store, nearly a quarter (23.6%) of the one million OptinMonster are running badly outdated builds. The remaining figure accounts for all installations in the 2.6 branch, all of which below 2.6.5 remain insecure.

There no more granular breakdown on the number of sites that have already upgraded to 2.6.5 or the latest 2.6.6 version of OptinMonster – so the exact percentage of vulnerable installs remains unclear.

Any users of OptinMonster are strongly urged to update to the latest, patched version of the plugin (2.6.5 or above) regardless of whatever secondary security protection they might have in order to guard themselves against potential attack.

YOU MAY ALSO LIKE Injection flaws in popular WordPress plugin could expose credentials, allow admin access

Originally Appeared Here

Filed Under: EMAIL

Primary Sidebar

Editor Picks

Pega Paves Path to Seamless Se

70% of Gen Z Believe They Currently Do Not Receive Excellent CX

One-day workshop on ‘marketable digital skills’ for journalists held

The real portable air conditioner ZERO BREEZE Mark 2 is leading a cool trend in outdoor living

Asia-Pacific Power List 2022: Manuel Arroyo, Coca-Cola | Marketing

Ann Marie Puig explains the use of artificial intelligence to increase sales

2C2P and Ikano Retail Extend Online, Localised Payments to IKEA Customers In Southeast Asia

7 Email Marketing Mistakes Killing Your Mobile Conversion Rate [Infographic]

How Retailers Can Adapt to Evolving APAC Consumer Behaviors

Making the Best of Your Analytics Dashboards

Copyright © 2022 Customer Commentary · Privacy Policy · Terms & Conditions · Log in

Terms and Conditions - Privacy Policy