WordPress security researchers reported that a flaw in the OptinMonster WordPress plugin was found to allow hackers to upload malicious scripts to attack site visitors and lead to full site takeovers. Failure to perform a basic security check exposes over a million sites to potential hacking events.
Lack of REST-API Endpoint Capability Checking
This vulnerability isn’t due to hackers being really smart and finding a clever way to exploit a perfectly coded WordPress plugin. Quite the opposite.
According to security researchers at popular WordPress security company Wordfence, the exploit was due to a failure in the WordPress REST-API implementation in the OptinMonster WordPress plugin which resulted in “insufficient capability checking.”
Advertisement
Continue Reading Below
When properly coded, REST-API is a secure method to extend WordPress functionality by allowing plugins and themes to interact with a WordPress site for managing and publishing content. It allows a plugin or theme to interact directly with the website database without compromising security… if properly coded.
The WordPress REST-API documentation states:
“…the most important thing to understand about the API is that it enables the block editor and modern plugin interfaces without compromising the security or privacy of your site.”
The WordPress REST-API is supposed to be secure.