Nov 2, 2021
0 0

Update your OptinMonster WordPress plugin immediately

Written by

We research. You level up.
Protect your devices, your data, and your privacy—at home or on the go.
“Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected.”
Featured Event: RSA 2021
Activate Malwarebytes Privacy on Windows device.
Cybersecurity Month: Save 25% on EP and EDR for your business – BUY NOW

Exploits and vulnerabilities
Posted: by
WordPress, the incredibly popular content management platform, is currently dealing with a nasty plugin bug which allows redirects.
Like most blogging platforms, WordPress allows you to change up its default functionality. This is done by adding bits of kit called plugins. Some will be from WordPress itself, others are created and maintained by third parties. Any plugin can be potentially unsafe, or coded poorly, or compromised in some way. It’s also entirely possible for rogues to make their own innocent looking plugin and cause chaos.
Plugins are often in the news for these kinds of problems. Just this month, we covered a WordPress plugin susceptible to multiple vulnerabilities. Last month, it was a plugin leaving shoppers vulnerable to cross site scripting bugs and a form of JavaScript injection. There are so many plugins that it’s a surefire bet another plugin will be the latest compromise before long. And even when it’s not possible to be 100% sure a plugin was involved in an attack, you can end up with a bad situation very quickly. Shall we see what’s happened this time?
Yes, an astonishing 1 million WordPress sites have been affected this time around. A plugin called OptinMonster is a tool designed to make your site “sticky”. That is, keep people around for longer, convert interest to sales, sign up to newsletters, build up elements of your site, and more.
This plugin relies on API endpoints to do its job. An API is an Application Programming Interface, and you can read a fantastic plain-English description of what an API is and does here.
Sadly, it seems some of the endpoints weren’t secure, and attackers with API keys designed for use with the OptinMonster service could get up to no good. Changes could be made to accounts, or malicious code could be placed on the site without a visitor’s knowledge.
The bug, known as CVE-2021-39341 and discovered at the end of September, has been addressed by the OptinMonster developers. Stolen API keys have been invalidated, and a patch was released on the October 7. It’s possible more updates may appear over the next few weeks.
If your API key has been revoked, you’ll have to create a new one. You should also ensure your plugin is kept up to date. In fact, you should be doing this for all of your plugins. It may be worth checking if they’re still maintained, and browsing the latest reviews to see if people are suddenly complaining about peculiar activity.
If you have plugins installed which you don’t use at all, or only very rarely, it may be worth having a spring clean. Often we rush to install dozens of plugins on a new website, and before we know it, we’ve forgotten what half of them are. There they sit, for months or years, just waiting for a juicy vulnerability to come along. Why take the risk?
There’s a number of ways you can keep your WordPress site safe from harm where plugins are concerned. Our advice is to devote some time to digging through the weeds and see what exactly you have lurking in the undergrowth.
Security world | Technology
January 22, 2019 – Whoever invented browser push notifications must have been able to guess they would be abused for advertising. This post explains what they are and how to disable them.
Technology | Threat analysis
October 31, 2017 – As an alternative to reverse engineering malware that is protectively packed, we look at the option of analyzing malware by API calls to determine what a file might be up to.

Silouette of person

Threat Center

Book with bookmark

Suspicious person

Write for Labs

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.
Imagine a world without malware. We do.
© All Rights Reserved
Select your language
Cybersecurity basics
Your intro to everything relating to cyberthreats, and how to stop them.


Article Categories:

Leave a Reply