1,000,000 Sites Affected by OptinMonster Vulnerabilities
If your blog/website is one of the over 1,000,000 sites that is using the popular WordPress plugin OptinMonster, make sure that you upgrade to the latest version.
Last month, the Wordfence Threat Intelligence team discovered and disclosed several vulnerabilities in the OptinMonster plugin. Because of the disclosure process, it is only now that they’re able to share this information with the public and it was posted on the official Wordfence blog earlier today.
For those who are not familiar with or have heard of the plugin OptinMonster, this popular plugin is considered one of the best pop-up builders and marketing plugins for WordPress. It helps site owners to get more email subscribers, grow their business, increase sales, etc.
Back to the topic at hand. The security vulnerabilities that were recently discovered allowed an unauthenticated attacker (meaning any site visitor), to export sensitive information as well as add malicious JavaScript codes to WordPress-powered sites running OptinMonster.
Kudos to the folks behind OptinMonster who quickly addressed the situation and released a patch a day after they received the report regarding the vulnerabilities. A fully patched version of the plugin (version 2.6.5) was released on October 7, 2021. If you have enabled automatic updates, then you don’t have to worry or do anything. If you don’t have auto-updates enabled for your WordPress plugins, just make to check what version of the plugin you’re using and if you have anything older than version 2.6.5, then you have to update immediately!
OptinMonster Vulnerability Sample
public function logged_in_or_has_api_key( $request ) {
if (
! empty( $_SERVER['HTTP_REFERER'] )
&& false !== strpos( $_SERVER['HTTP_REFERER'], 'https://wp.app.optinmonster.test' )
&& 'OPTIONS' === $_SERVER['REQUEST_METHOD']
) {
return true;
}
return is_user_logged_in() || true === $this->has_valid_api_key( $request );
}To learn more about the story or get a better picture of what happened, make sure to head over to the Wordfence blog post where more details are discussed including the issues involving REST-API endpoints.
If you don’t log in to your WordPress dashboard regularly, I strongly recommend that you turn on or enable auto-updates for your WordPress plugins. You can do that by going to Dashboard > Plugins and look for the “Automatic update” column then click on “Enable auto-updates“.
Do any of you guys use OptinMonster and get affected by this? If you do, I hope none of your sites were attacked or got malicious JavaScript codes added to them.
