Unrated severityNVD Advisory· Published Nov 1, 2021· Updated Mar 31, 2025

OptinMonster <= 2.6.4 Unprotected REST-API Endpoints

CVE-2021-39341

Description

The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with the plugin installed. This affects versions up to, and including, 2.6.4.

Affected products

Optinmonster/Optinmonsterv5
Range: 2.6.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/optinmonster/trunk/OMAPI/RestApi.phpmitrex_refsource_MISC
wordfence.com/vulnerability-advisories/mitrex_refsource_MISC
www.wordfence.com/blog/2021/10/1000000-sites-affected-by-optinmonster-vulnerabilities/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.035
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000