in WordPress add-on optinmonster , having more than a million active installations and applied to organize output of pop-up notifications and suggestions, detected Vulnerability (CVE-2021-39341), which allows you to place your JavaScript -code on the site using the specified addition. Vulnerability is eliminated in release 2.6.5. To block access via captured keys After installing the update, the OptiNMonster developers canceled all previously created API access keys and added restrictions on the use of WordPress sites to change the Optinmonster campaigns.
The problem is caused by the presence of the REST-API / WP-JSON / OMApp / V1 / Support, access to which was possible without authentication – the query was performed without additional checks if there is a line in the Referer header “https: //wp.app.optinmonster. Test “and when installing the HTTP query type in” Options “(override using the HTTP header” X-HTTP-Method-Override “). Among the data returned when accessing the REST-API under consideration, the access key was present, allowing you to send requests to any REST-API handlers.
With the resulting key, the attacker could make changes to any pop-up blocks shown by OptiNMonster, including to organize the execution of its JavaScript code. Getting able to execute your JavaScript code in the context of the site attacking could redirect users to your site or organize a substitution of a privileged account to the Web interface when performing a javascript code administrator. Having access to a web-interface attacker could achieve its PHP code on the server.