The OptinMonster team promptly patched the plugin and updated the plugin again after more feedback from the Wordfence team. Version 2.6.5 was released on October 7, 2021, to address these issues.
OptinMonster is used on more than 1 million WordPress sites to create popup campaigns, email subscription forms, sticky announcement bars, and gamified spin-a-wheel opt-in forms. The plugin relies heavily on the use of WP REST API endpoints. Chamberland identified the majority of these endpoints as “insecurely implemented:”
Worse yet, an attacker did not need to be authenticated to the site in order to access the API endpoint
As a precaution, OptinMonster has invalidated all API keys, forcing administrators to generate new ones, in case any keys had been previously compromised. There are no sites known to have been exploited at this time, but the vulnerabilities are now public. Site owners are advised to update to the latest version of the plugin as soon as possible.