CVE-2021-39341

Name of the Vulnerable Software and Affected Versions: OptinMonster WordPress plugin versions up to, and including, 2.6.4

Description: The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation. This issue can be exploited to inject malicious web scripts on sites with the plugin installed. The vulnerability affects over 1 million sites and allows for unauthorized access to the API, disclosure of confidential information, and malicious JavaScript code injection. The logged in or has api key function in the ~/OMAPI/RestApi.php file is specifically implicated. An attacker with an API key can make changes to OptinMonster accounts or place malicious JavaScript code on a site, which will be executed every time an OptinMonster element is activated. The API endpoint /wp-json/omapp/v1/support can reveal sensitive data such as the full path to the site on the server and API keys used for site requests.

Recommendations: For versions up to, and including, 2.6.4, update to version 2.6.5 or later to resolve the issue. Additionally, consider restricting access to the API and limiting the use of WordPress site keys to modify OptinMonster campaigns until the update is applied. As a temporary workaround, consider disabling the logged in or has api key function in the ~/OMAPI/RestApi.php file until a patch is available.