Wordfence has published details of several security vulnerabilities they discovered in the OptinMonster plugin back on September 28th, 2021. According to their report, the flaws made it possible for an unauthenticated attacker to export sensitive information and add malicious JavaScript to WordPress sites, in addition to other actions.
Wordfence notified the company on September 28th and OptinMonster released a patch the following day. However, additional work was needed on the patch. The fully patched version was released on October 7th as 2.6.5. The most up-to-date version available as of writing this article is 2.6.6.
The majority of the problem was that the REST-API endpoints were implemented insecurely which made it possible for unauthenticated users to access them. One of these endpoints disclosed sensitive data such as the full site path on the server and API keys needed to make requests to the OptinMonster website.
With access to the API key, an attacker could make changes to any campaign associated with a site’s connected OptinMonster account and add malicious JavaScript that would execute anytime a campaign was displayed on the exploited site.
Wordfence
For additional details on how the vulnerabilities could be exploited, read their findings and make sure OptinMonster is updated to at least 2.6.5