OptinMonster is a popular WordPress plugin installed over a million WordPress websites. It offers customer acquisition and lead-generation application to its users.
Wordfence, a popular “web application firewall service” provider disclosed vulnerabilities in the OptinMonster plugin. These vulnerabilities allows to export sensitive information and add malicious JavaScript to WordPress sites. The attacker can also gain backend access to the site.
“We sent the full disclosure details to OptinMonster on September 28, 2021, after confirming the appropriate channel to handle communications.The OptinMonster team quickly acknowledged the report by releasing a patch the next day. We followed up to let them know some improvements were needed on the patch and a fully patched version was released as 2.6.5 on October 7, 2021.”
-WordFence Team
It is strongly recommended to OptinMonster users to scan their website and update to the latest patched version 2.6.5 or higher. You can read full vulnerability details here.