OptinMonster Plugin < 2.6.5 - Unprotected REST-API

Short Info

Level

High

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

19 days 7 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with the plugin installed. This affects versions up to, and including, 2.6.4.

References:

https://nvd.nist.gov/vuln/detail/CVE-2021-39341
https://plugins.trac.wordpress.org/browser/optinmonster/trunk/OMAPI/RestApi.php?rev=2606519#L1460
https://wordfence.com/vulnerability-advisories/#CVE-2021-39341

Get started to protecting your digital assets

Start trial See the plans

OptinMonster Plugin < 2.6.5 - Unprotected REST-API

Short Info

-

Detail

Category