Application Security , Breach Notification , Incident & Breach Response
WordPress Plug-In Bugs Put 1 Million-Plus Sites At Risk
Exploitation May Have Exposed REST-API Endpoints on Sites, Researchers SayA WordPress plug-in installed in more than 1 million websites that was vulnerable to high-severity bugs has now been patched.
See Also: Live Webinar | Everything you Need to Know About the Cyber Resilience Act
The vulnerabilities in the OptinMonster plug-in, which helps customers create sales campaigns, would have allowed attackers to export sensitive information and add malicious pieces of code or JavaScript to all affected WordPress sites, according to threat intelligence company Wordfence.
Updated versions of the plug-in - from v2.6.5 - fix these flaws, Wordfence researchers say.
Currently, more than 30% of the web is powered by WordPress, says Uriel Maimon, senior director of emerging technologies at threat protection services provider PerimeterX.
"This current flaw allows unauthorized API access and sensitive information disclosure on roughly 1 million WordPress sites, [and] could allow attackers to inject malicious JavaScript code into exposed websites. Attackers can then plant malware, steal data and hijack users to nefarious sites. Without continuous visibility and control of the changes made to JavaScript code on websites, any business that relies on a supply chain of third-party scripts could suffer the same fate," says Maimon.
On its website, OptinMonster estimates that more than 1.2 million websites, including American Express, ClickBank, Pinterest, Experian, Trip Advisor and Harvard University, use the plug-in.
The Vulnerability Chain
The vulnerabilities are tracked under CVE-2021-39341, Wordfence notes in its security blog.
The company did not immediately respond to Information Security Media Group's request for details about how the exploit chain works.
On its blog, the company's researchers explain that a vast majority of OptinMonster's plug-in and app site functionalities rely on the use of API endpoints, which enable seamless integration and a streamlined design process. These API endpoints, the researchers add, were vulnerable due to insecure implementation.
"The majority of the REST API endpoints were insecurely implemented, making it possible for unauthenticated attackers to access many of the various endpoints on sites running a vulnerable version of the plug-in," Wordfence says.
A REST API or RESTful API is an application programming interface that conforms to the design principles of REST - representational state transfer - architectural style and allows interaction with RESTful web services. REST is not a standard or a protocol, but is used by API developers because it allows them flexibility and offers lightweight methods of implementation.
"When a client request is made via a RESTful API, it transfers a representation of the state of the resource to the requester or endpoint," IBM says.
Wordfence researchers observed the vulnerability chain in one of the most critical REST API endpoints of OptinMonster - the /wp-json/omapp/v1/support endpoint. This REST API contains sensitive data, including a site’s full server path and API keys that help make requests on the OptinMonster site. "With access to this API key, an attacker has the privilege to modify or launch any campaign that the site connected to an OptinMonster account is running," according to Wordfence.
Additionally, exploitation of the vulnerability could have enabled an attacker to add malicious JavaScript that executes every time a campaign is displayed on the exploited site, the researchers say. "[This] could ultimately lead to site visitors being redirected to external malicious domains and sites being completely taken over in the event that JavaScript was added to inject new administrative user accounts or overwrite plug-in code with a webshell to gain backdoor access to a site."
"Nearly every other REST-API endpoint registered in the plug-in was vulnerable to authorization bypass due to insufficient capability checking allowing unauthenticated visitors, or in some cases authenticated users with minimal permissions, to perform unauthorized actions," the researchers say, adding that attackers would have had the ability to change settings, view campaign data, and enable/disable debug mode.
The Fix
Wordfence says its researchers responsibly disclosed all the vulnerabilities to OptinMonster on Sept. 28. While OptinMonster released a fix the next day, it also heeded the researchers' improvement suggestions and fully patched the bugs in the 2.6.5 version released a week later, Wordfence adds.
As a fix, the OptinMonster team invalidated all API keys to force site owners to generate new keys in the event that a key had been previously compromised. It also implemented restrictions that inhibit API keys associated with WordPress sites from being able to make campaign changes using the OptinMonster app. "[This] prevents successful exploitation of the vulnerability chain," the researchers say.
OptinMonster's updated change log shows that the patched version 2.6.6 fixes a range of additional errors as well.
Vulnerabilities in WordPress plug-ins have been observed by Wordfence researchers several times. In March, they reported that a WordPress plug-in called Tutor LMS had several vulnerabilities associated with the unprotected AJAX endpoints. These flaws were later patched. (see: WordPress LMS Tutor Plug-In Flaws Patched).