OptinMonster is an incredibly intuitive and easy to use plugin designed to create sales campaigns on WordPress sites through the use of dialogs. The vast majority of the plugin’s functionality as well as the OptinMonster app site rely on the use of API endpoints to allow seamless integration and a streamlined design process.
Unfortunately, the majority of the REST-API endpoints were insecurely implemented, making it possible for unauthenticated attackers to access many of the various endpoints on sites running a vulnerable version of the plugin.
The most critical of the REST-API endpoints was the
Worse yet, an attacker did not need to be authenticated to the site in order to access the API endpoint due to the functionality implemented within the
logged_in_or_has_api_key function used as the
We strongly recommend validating that your site has been updated to the latest patched version of OptinMonster which is 2.6.5 at the time of this publication.