One million WordPress sites at risk of attack

Vulnerabilities made websites prone to attacks by any visitor

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurityresearchers have helped patch several vulnerabilities in an extremely popularWordPress plugin, which could have been exploited by any visitor to undertake a number of actions against affectedWordPresswebsites, such as exporting sensitive information.

The vulnerabilities, discovered byWordPress securityexpertsWordfence, existed in the OptinMonster plugin that boasts of a user base of over a million websites.

OptinMonster helps create sales campaigns onWordPress websiteswithout much effort.  through the use of dialogs. Wordfence explains that the vast majority of the plugin’s functionality as well as the OptinMonster app site rely on the use of API endpoints.

Open sesame

Open sesame

“Unfortunately, the majority of the REST-API endpoints were insecurely implemented, making it possible for unauthenticated attackers to access many of the various endpoints on sites running a vulnerable version of the plugin,”wroteWordfence’s threat analyst Chloe Chamberland.

In her run down of the vulnerabilities, Chamberland notes that one of the vulnerable endpoints could have been exploited to leak sensitive data like the site’s full path on the server, along with the API key the website uses to make requests on the OptinMonster site.

“With access to the API key, an attacker could make changes to any campaign associated with a site’s connected OptinMonster account and add maliciousJavaScriptthat would execute anytime a campaign was displayed on the exploited site,” says Chamberland.

She notes that rather worryingly the vulnerability could have been exploited by any visitor to the website.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Although there aren’t reports of the vulnerabilities being exploited in the wild, the plugin developer has invalidated all API keys, forcing users to generate new ones. They’ve also patched all vulnerabilities and made changes to how changes are made to the campaigns.

Want to build a website? Use one of thesebest WordPress website builders, and deck them up using one of thesebest WordPress themes.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Don’t search for information on cats at work — you could be at risk of being hacked

This dangerous new malware is hitting Windows devices by hiding in games

Nvidia’s GeForce Now Priority membership has upgraded to ‘Performance’ - introducing a 1440p resolution and ultrawide support