vulnerability

WordPress Plugin: optinmonster: CVE-2021-39341: Improper Authorization

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:N/AC:L/Au:N/C:P/I:P/A:N)	Nov 1, 2021	May 15, 2025	Jul 10, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:N)

Published

Nov 1, 2021

Added

May 15, 2025

Modified

Jul 10, 2025

Description

The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with the plugin installed. This affects versions up to, and including, 2.6.4.

Solution

optinmonster-plugin-cve-2021-39341

References

URL-https://www.cve.org/CVERecord?id=CVE-2021-39341
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/77eb40c2-735a-49f2-9d07-5cf7535bd722?source=api-prod
CVE-2021-39341
https://attackerkb.com/topics/CVE-2021-39341
CWE-285
CWE-319
CWE-863

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today