[TheRecord] WordPress plugin bug lets attackers inject code into vulnerable sites

A security flaw found in a popular WordPress plugin installed on more than one million websites allows attackers to inject malicious code into vulnerable sites.

Discovered by Wordfence, a provider of web firewalls for WordPress sites, the vulnerability impacts a plugin that integrates the OptinMonster sales, marketing, and newsletter platform inside WordPress websites.

“These flaws made it possible for an unauthenticated attacker, meaning any site visitor, to export sensitive information and add malicious JavaScript to WordPress sites, among many other actions,” said Wordfence security researcher Chloe Chamberland.

According to a technical report published earlier today, Chamberland blamed the issue on poor coding.

Namely, Chamberland said the plugin had left many of the OptinMonster API endpoints open to commands via the sites where the plugin was installed.

Chamberland said an attacker could query these API endpoints and get details about the site, including their OptinMonster API key.

The attacker could then use this API key to make changes to the site’s OptinMonster marketing and sales campaigns and add their own malicious code to the popups the plugin was showing to site visitors.

Chamberland said the Wordfence team reported the issue to OptinMonster in late September and that the company released a temporary patch a day later, with a full patch delivered on October 7, via the OptinMonster 2.6.5 release.

Additionally, since the company couldn’t tell if the issue had been previously exploited, OptinMonster also invalidated all API keys and forced customers to generate new ones.

Wordfence disclosed the issue today to give the plugin’s more than one million users time to update their sites before mass-exploitation of the issue is most likely to begin.

The post WordPress plugin bug lets attackers inject code into vulnerable sites appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ThreatPost] PS3 Players Ban: Latest Victims of Surging Attacks on Gaming Industry  

All posts, ThreatPost

Every Sony PlayStation 3 ID out there was compromised, provoking bans of legit players on the network. Source: Read More (Threatpost)

Read More

[SecurityWeek] USCYBERCOM Warns of Mass Exploitation of Atlassian Vulnerability Ahead of Holiday Weekend

All posts, Security Week

USCYBERCOM and the Cybersecurity and Infrastructure Security Agency (CISA) are sounding the alarm just before the Labor Day weekend in the U.S., urging organizations to patch a critical vulnerability (CVE-2021-26084) affecting Atlassian Confluence Server and Data Center.  read more Source: Read More (SecurityWeek RSS Feed)

Read More

[SecurityWeek] Cisco: Critical Flaw in Older SMB Routers Will Remain Unpatched

All posts, Security Week

Cisco this week published information on a critical code execution vulnerability affecting its small business RV110W, RV130, RV130W, and RV215W routers, but cautioned that there are no plans to release security fixes. read more Source: Read More (SecurityWeek RSS Feed)

Read More