A vulnerability (CVE-2021-39341) has been identified in the OptinMonster WordPress add-on, which has more than a million active installations and is used to organize the display of pop-up notifications and offers. The vulnerability was fixed in release 2.6.5. To block access via captured keys after installing the update, the OptinMonster developers canceled all previously created API access keys and added restrictions on the use of WordPress site keys to modify OptinMonster campaigns.
The problem is caused by the presence of REST-API /wp-json/omapp/v1/support, which could be accessed without authentication - the request was executed without additional checks if the Referer header contained the string "https://wp.app.optinmonster.test" and when setting the HTTP request type to "OPTIONS" (overridden with the "X-HTTP-Method-Override" HTTP header). Among the data returned when accessing the REST-API in question, there was an access key that allows you to send requests to any REST-API handlers.
Using the received key, the attacker could make changes to any pop-up blocks shown using OptinMonster, including organizing the execution of his JavaScript code. Having been able to execute their JavaScript code in the context of the site, the attacker could redirect users to their site or organize the substitution of a privileged account in the web interface when the site administrator executed the substituted JavaScript code. Having access to the web interface, the attacker could get his PHP code executed on the server.
Source: opennet.ru