WordPress security researchers at Wordfence reported that a flaw in the OptinMonster WordPress plugin was found to allow hackers to upload malicious scripts to attack site visitors and lead to full site takeovers. Failure to perform a basic security check exposes over a million sites to potential hacking events.
The Wordfence researchers commented:
“…we detailed a flaw in the OptinMonster plugin that enabled a dangerous exploit chain which made it possible for unauthenticated attackers to retrieve a site’s sensitive data and gain unauthorized access to OptinMonster user accounts, which could be used to add malicious scripts to vulnerable sites.”
Lack of REST-API Endpoint Capability Checking
This vulnerability isn’t due to hackers being really smart and finding a clever way to exploit a perfectly coded WordPress plugin. Quite the opposite.
According to security researchers at popular WordPress security company Wordfence, the exploit was due to a failure in the WordPress REST-API implementation in the OptinMonster WordPress plugin which resulted in “insufficient capability checking.”
When properly coded, REST-API is a secure method to extend WordPress functionality by allowing plugins and themes to interact with a WordPress site for managing and publishing content. It allows a plugin or theme to interact directly with the website database without compromising security… if properly coded.
The WordPress REST-API documentation states:
“…the most important thing to understand about the API is that it enables the block editor and modern plugin interfaces without compromising the security or privacy of your site.”
The WordPress REST-API is supposed to be secure.
Unfortunately, all websites using OptinMonster had their security compromised because of how OptinMonster implemented the WordPress REST-API.
Majority of REST-API Endpoints Compromised
REST-API endpoints are URLs that represent the posts and pages on a WordPress site that a plugin or theme can modify and manipulate.
But according to Wordfence, almost every single REST-API endpoint in OptinMonster was improperly coded, compromising website security.
Wordfence commented on how poorly OptinMonster’s REST-API implementation is:
“…the majority of the REST-API endpoints were insecurely implemented, making it possible for unauthenticated attackers to access many of the various endpoints on sites running a vulnerable version of the plugin.
…nearly every other REST-API endpoint registered in the plugin was vulnerable to authorization bypass due to insufficient capability checking allowing unauthenticated visitors, or in some cases authenticated users with minimal permissions, to perform unauthorized actions.”
Unauthenticated means an attacker that isn’t registered in any way with the website being attacked.
Some vulnerabilities require an attacker to be registered as a subscriber or contributor, which makes it a little harder to attack a site, especially if a site doesn’t accept subscriber registrations.
This vulnerability had no such barrier at all, no authentication was necessary to exploit OptinMonster, which is a worst-case scenario compared to authenticated exploits.
Wordfence warned about how bad an attack on a website using OptinMonster could be:
Recommended Course of Action
Wordfence notified the publishers of OptinMonster and about ten days later released an updated version of the OptinMonster that plugged all of the security holes.
The most secure version of OptinMonster is version 2.6.5.
Wordfence recommends that all users of the OptinMonster update their plugin:
“We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available, which is version 2.6.5 at the time of this publication.”
WordPress offers documentation on best practices for REST-API and asserts that it is a secure technology.
So if these kinds of security issues aren’t supposed to occur, why do they keep on happening?
The WordPress documentation on best practices for the REST-API states:
“…it enables the block editor and modern plugin interfaces without compromising the security or privacy of your site.”
With over a million sites affected by this vulnerability one has to wonder why, if best practices exist, this kind of vulnerability happened on the highly popular OptinMonster plugin.
While this isn’t the fault of WordPress itself, this kind of thing does reflect negatively on the entire WordPress ecosystem.