OptinMonster Plugin < 2.6.5 - Unprotected REST-API

Short Info


Level

High

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

19 days 7 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with the plugin installed. This affects versions up to, and including, 2.6.4.


References:
Get started to protecting your digital assets