CVE-2021-39341
HIGH EXPLOITED NUCLEIOptinMonster < 2.6.4 - Sensitive Information Disclosure via Insufficient Authorization
Title source: llmExploitation Summary
CVE-2021-39341 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with the plugin installed. This affects versions up to, and including, 2.6.4.
Nuclei Templates (1)
OptinMonster Plugin < 2.6.5 - Unprotected REST-API
HIGHVERIFIEDby iamnoooob,pdresearch
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.wordfence.com/blog/2021/10/1000000-sites-affected-by-optinmonster-vulnerabilities/
Third Party Advisory x_refsource_misc
https://wordfence.com/vulnerability-advisories/#CVE-2021-39341
Third Party Advisory x_refsource_misc
https://plugins.trac.wordpress.org/browser/optinmonster/trunk/OMAPI/RestApi.php?rev=2606519#L1460
Scores
CVSS v3
8.2
EPSS
0.2327
EPSS Percentile
97.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
VulnCheck KEV
2021-10-27
CWE
CWE-319
CWE-285
CWE-863
Status
published
Products (1)
optinmonster/optinmonster
< 2.6.4
Published
Nov 01, 2021
Tracked Since
Feb 18, 2026