OptinMonster vulnerability hampers 1M+ sites

The security researchers of WordPress had recently reported that there is a flaw in the OptinMonster WordPress plugin. It has been found that it is allowing the hackers to upload malicious scripts to perform an attack on the site visitors. Also, it leads to full site takeovers. Any kind of failure to do a basic security check will lead a site to potential hacking. More Than a million sites are under this threat.

This vulnerability is not due to the brilliant expertise of the hackers. As per the security researchers at Wordfence, the exploit is a failure in the implementation of WordPress REST-API in OptinMonster. It is now resulting in insufficient capability checking. With proper coding, REST-API is a highly secure method. It can extend the functionality of the CMS system.

It lets the plugins or theme interact with the website database without any kind of security compromise. However, proper coding is a must for that.

The REST-API of WordPress is supposed to be secure enough. However, all the websites that are using OptinMonster have a security compromise.

The endpoints of REST- API are the URLs that further represent the page and posts on the WordPress site, which a theme or a plugin can modify. But as per Wordfence, each of the REST-API endpoints in OptinMonster had improper coding, which is compromising the security.

Wordfence has further slammed the REST- API integration of OptinMonster. The improper implementation is making it easier for the unauthenticated attackers to get access to many of the endpoints on sites that are running a vulnerable version.

The attackers who are not having any registration with a website are posing an attack. Some of the vulnerabilities need a registered attacker, which makes it a bit hard to attack a site. Vulnerability does not have such a barrier. No authentication was necessary for the exploitation of OptinMonster.

Wordfence has further warned about the danger of the attack that OptinMonster can impose. Wordfence has notified all the publishers to upgrade to an updated version. The most secure version of OptinMonster is 2.6.5. Wordfence recommended all its users go for a quick update. WordPress has also offered further documentation on the REST-API best practices.