Update your OptinMonster WordPress plugin immediately

WordPress, the incredibly popular content management platform, is currently dealing with a nasty plugin bug which allows redirects.

What is a WordPress plugin?

Like most blogging platforms, WordPress allows you to change up its default functionality. This is done by adding bits of kit called plugins. Some will be from WordPress itself, others are created and maintained by third parties. Any plugin can be potentially unsafe, or coded poorly, or compromised in some way. It’s also entirely possible for rogues to make their own innocent looking plugin and cause chaos.

Plugins are often in the news for these kinds of problems. Just this month, we covered a WordPress plugin susceptible to multiple vulnerabilities. Last month, it was a plugin leaving shoppers vulnerable to cross site scripting bugs and a form of JavaScript injection. There are so many plugins that it’s a surefire bet another plugin will be the latest compromise before long. And even when it’s not possible to be 100% sure a plugin was involved in an attack, you can end up with a bad situation very quickly. Shall we see what’s happened this time?

Bug causes problems for up to 1 million sites

Yes, an astonishing 1 million WordPress sites have been affected this time around. A plugin called OptinMonster is a tool designed to make your site “sticky”. That is, keep people around for longer, convert interest to sales, sign up to newsletters, build up elements of your site, and more.

This plugin relies on API endpoints to do its job. An API is an Application Programming Interface, and you can read a fantastic plain-English description of what an API is and does here.

Sadly, it seems some of the endpoints weren’t secure, and attackers with API keys designed for use with the OptinMonster service could get up to no good. Changes could be made to accounts, or malicious code could be placed on the site without a visitor’s knowledge.


The bug, known as CVE-2021-39341 and discovered at the end of September, has been addressed by the OptinMonster developers. Stolen API keys have been invalidated, and a patch was released on the October 7. It’s possible more updates may appear over the next few weeks.

What should I do if I have OptinMonster on my website?

If your API key has been revoked, you’ll have to create a new one. You should also ensure your plugin is kept up to date. In fact, you should be doing this for all of your plugins. It may be worth checking if they’re still maintained, and browsing the latest reviews to see if people are suddenly complaining about peculiar activity.

If you have plugins installed which you don’t use at all, or only very rarely, it may be worth having a spring clean. Often we rush to install dozens of plugins on a new website, and before we know it, we’ve forgotten what half of them are. There they sit, for months or years, just waiting for a juicy vulnerability to come along. Why take the risk?

There’s a number of ways you can keep your WordPress site safe from harm where plugins are concerned. Our advice is to devote some time to digging through the weeds and see what exactly you have lurking in the undergrowth.