OptinMonster is an incredibly intuitive and easy to use plugin designed to create sales campaigns on WordPress sites through the use of dialogs. The vast majority of the plugin’s functionality as well as the OptinMonster app site rely on the use of API endpoints to allow seamless integration and a streamlined design process.
Unfortunately, the majority of the REST-API endpoints were insecurely implemented, making it possible for unauthenticated attackers to access many of the various endpoints on sites running a vulnerable version of the plugin.
The most critical of the REST-API endpoints was the /wp-json/omapp/v1/support endpoint, which disclosed sensitive data like the site’s full path on the server, along with the API key needed to make requests on the OptinMonster site. With access to the API key, an attacker could make changes to any campaign associated with a site’s connected OptinMonster account and add malicious JavaScript that would execute anytime a campaign was displayed on the exploited site.
Worse yet, an attacker did not need to be authenticated to the site in order to access the API endpoint due to the functionality implemented within the logged_in_or_has_api_key function used as the permissions_callback.
We strongly recommend validating that your site has been updated to the latest patched version of OptinMonster which is 2.6.5 at the time of this publication.
Full details at: https://www.wordfence.com/blog/2021/10/1000000-sites-affected-by-optinmonster-vulnerabilities