Wordfence WordPress security researchers discovered a flaw in the OptinMonster WordPress plugin that allowed hackers to upload malicious scripts to attack site visitors and lead to full site takeovers. Failure to conduct a basic security check exposes over a million websites to potential hacking events.
According to the Wordfence researchers:
“…we detailed a flaw in the OptinMonster plugin that enabled a dangerous exploit chain which made it possible for unauthenticated attackers to retrieve a site’s sensitive data and gain unauthorized access to OptinMonster user accounts, which could be used to add malicious scripts to vulnerable sites.”
Checking REST-API Endpoint Capability Is Missing
This vulnerability isn’t the result of hackers being extremely clever and devising a devious way to exploit a perfectly coded WordPress plugin. Quite the contrary.
The exploit was caused by a failure in the WordPress REST-API implementation in the OptinMonster WordPress plugin, which resulted in “insufficient capability checking,” according to security researchers at popular WordPress security companies Wordfence.
When properly coded, REST-API is a safe way to extend WordPress functionality by allowing plugins and themes to interact with a WordPress site for content management and publishing. If properly coded, it allows a plugin or theme to interact directly with the website database without jeopardizing security.
According to the WordPress REST-API documentation:
“…the most important thing to understand about the API is that it enables the block editor and modern plugin interfaces without compromising the security or privacy of your site.”
WordPress’s REST-API is supposed to be safe.
Unfortunately, because of how OptinMonster implemented the WordPress REST-API, all websites using OptinMonster had their security compromised.
The vast majority of REST-API Endpoints Compromised
REST-API endpoints are URLs that represent the posts and pages on a WordPress site that can be modified and manipulated by a plugin or theme.
However, according to Wordfence, almost every REST-API endpoint in OptinMonster was incorrectly coded, jeopardizing website security.
Wordfence commented on OptinMonster’s poor REST-API implementation:
“…the majority of the REST-API endpoints were insecurely implemented, making it possible for unauthenticated attackers to access many of the various endpoints on sites running a vulnerable version of the plugin.
…nearly every other REST-API endpoint registered in the plugin was vulnerable to authorization bypass due to insufficient capability checking allowing unauthenticated visitors, or in some cases authenticated users with minimal permissions, to perform unauthorized actions.”
Unauthenticated attackers are those who are not associated in any way with the website under attack.
Some vulnerabilities require an attacker to be registered as a subscriber or contributor, which makes attacking a site a little more difficult, especially if the site does not accept subscriber registrations.
This vulnerability lacked any such barrier; no authentication was required to exploit OptinMonster, which is the worst-case scenario when compared to authenticated exploits.
Read 4 Ways A Fireplace Installer Can Boost Their Digital Marketing.
Wordfence issued a warning about the severity of an OptinMonster attack on a website:
“…any unauthenticated attacker could add malicious JavaScript to a site running OptinMonster, which could ultimately lead to site visitors being redirected to external malicious domains and sites being completely taken over in the event that JavaScript was added to inject new administrative user accounts or overwrite plugin code with a webshell to gain backdoor access to a site.”
Action Plan Suggestions
Wordfence notified the OptinMonster’s publishers and, about ten days later, released an updated version of the OptinMonster that closed all security holes.
Version 2.6.5 of OptinMonster is the most secure.
Wordfence recommends that all OptinMonster users update their plugin:
“We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available, which is version 2.6.5 at the time of this publication.”
WordPress provides documentation on REST-API best practices and claims that it is a secure technology.
So, if these kinds of security issues aren’t supposed to happen, why do they?
According to the WordPress documentation on REST-API best practices:
“…it enables the block editor and modern plugin interfaces without compromising the security or privacy of your site.”
With over a million sites affected by this vulnerability, one has to wonder why, if best practices exist, such a vulnerability occurred on the widely used OptinMonster plugin.
While this isn’t WordPress’s fault, it does have a negative impact on the entire WordPress ecosystem.
Need help with our free SEO tools? Try our free Link Analyzer, Website Links Count Checker, Link Price Calculator.
Learn more from WordPress and read WordPress Gutenberg 11.6 is now available – here are the top four achievements.
2 Comments