Cybersecurity (opens in new tab) researchers have helped patch several vulnerabilities in an extremely popular WordPress plugin (opens in new tab), which could have been exploited by any visitor to undertake a number of actions against affected WordPress (opens in new tab) websites, such as exporting sensitive information.
The vulnerabilities, discovered by WordPress security (opens in new tab) experts Wordfence (opens in new tab), existed in the OptinMonster plugin that boasts of a user base of over a million websites.
OptinMonster helps create sales campaigns on WordPress websites (opens in new tab) without much effort. through the use of dialogs. Wordfence explains that the vast majority of the plugin’s functionality as well as the OptinMonster app site rely on the use of API endpoints.
“Unfortunately, the majority of the REST-API endpoints were insecurely implemented, making it possible for unauthenticated attackers to access many of the various endpoints on sites running a vulnerable version of the plugin,” wrote (opens in new tab) Wordfence’s threat analyst Chloe Chamberland.
In her run down of the vulnerabilities, Chamberland notes that one of the vulnerable endpoints could have been exploited to leak sensitive data like the site’s full path on the server, along with the API key the website uses to make requests on the OptinMonster site.
She notes that rather worryingly the vulnerability could have been exploited by any visitor to the website.
Although there aren’t reports of the vulnerabilities being exploited in the wild, the plugin developer has invalidated all API keys, forcing users to generate new ones. They’ve also patched all vulnerabilities and made changes to how changes are made to the campaigns.