Application Security , Breach Notification , Incident & Breach Response
WordPress Plug-In Bugs Put 1 Million-Plus Sites At RiskExploitation May Have Exposed REST-API Endpoints on Sites, Researchers Say
A WordPress plug-in installed in more than 1 million websites that was vulnerable to high-severity bugs has now been patched.
See Also: Webinar | How the SASE Architecture Enables Remote Work
Updated versions of the plug-in - from v2.6.5 - fix these flaws, Wordfence researchers say.
Currently, more than 30% of the web is powered by WordPress, says Uriel Maimon, senior director of emerging technologies at threat protection services provider PerimeterX.
On its website, OptinMonster estimates that more than 1.2 million websites, including American Express, ClickBank, Pinterest, Experian, Trip Advisor and Harvard University, use the plug-in.
The Vulnerability Chain
The vulnerabilities are tracked under CVE-2021-39341, Wordfence notes in its security blog.
The company did not immediately respond to Information Security Media Group's request for details about how the exploit chain works.
On its blog, the company's researchers explain that a vast majority of OptinMonster's plug-in and app site functionalities rely on the use of API endpoints, which enable seamless integration and a streamlined design process. These API endpoints, the researchers add, were vulnerable due to insecure implementation.
"The majority of the REST API endpoints were insecurely implemented, making it possible for unauthenticated attackers to access many of the various endpoints on sites running a vulnerable version of the plug-in," Wordfence says.
A REST API or RESTful API is an application programming interface that conforms to the design principles of REST - representational state transfer - architectural style and allows interaction with RESTful web services. REST is not a standard or a protocol, but is used by API developers because it allows them flexibility and offers lightweight methods of implementation.
"When a client request is made via a RESTful API, it transfers a representation of the state of the resource to the requester or endpoint," IBM says.
Wordfence researchers observed the vulnerability chain in one of the most critical REST API endpoints of OptinMonster - the /wp-json/omapp/v1/support endpoint. This REST API contains sensitive data, including a site’s full server path and API keys that help make requests on the OptinMonster site. "With access to this API key, an attacker has the privilege to modify or launch any campaign that the site connected to an OptinMonster account is running," according to Wordfence.
"Nearly every other REST-API endpoint registered in the plug-in was vulnerable to authorization bypass due to insufficient capability checking allowing unauthenticated visitors, or in some cases authenticated users with minimal permissions, to perform unauthorized actions," the researchers say, adding that attackers would have had the ability to change settings, view campaign data, and enable/disable debug mode.
Wordfence says its researchers responsibly disclosed all the vulnerabilities to OptinMonster on Sept. 28. While OptinMonster released a fix the next day, it also heeded the researchers' improvement suggestions and fully patched the bugs in the 2.6.5 version released a week later, Wordfence adds.
As a fix, the OptinMonster team invalidated all API keys to force site owners to generate new keys in the event that a key had been previously compromised. It also implemented restrictions that inhibit API keys associated with WordPress sites from being able to make campaign changes using the OptinMonster app. "[This] prevents successful exploitation of the vulnerability chain," the researchers say.
OptinMonster's updated change log shows that the patched version 2.6.6 fixes a range of additional errors as well.
Vulnerabilities in WordPress plug-ins have been observed by Wordfence researchers several times. In March, they reported that a WordPress plug-in called Tutor LMS had several vulnerabilities associated with the unprotected AJAX endpoints. These flaws were later patched. (see: WordPress LMS Tutor Plug-In Flaws Patched).