WordPress security researchers reported that a flaw in the OptinMonster WordPress plugin was found to allow hackers to upload malicious scripts to attack site visitors and lead to full site takeovers. Failure to perform a basic security check exposes over a million sites to potential hacking events.
Lack of REST-API Endpoint Capability Checking
This vulnerability isn’t due to hackers being really smart and finding a clever way to exploit a perfectly coded WordPress plugin. Quite the opposite.
According to security researchers at popular WordPress security company Wordfence, the exploit was due to a failure in the WordPress REST-API implementation in the OptinMonster WordPress plugin which resulted in “insufficient capability checking.”
When properly coded, REST-API is a secure method to extend WordPress functionality by allowing plugins and themes to interact with a WordPress site for managing and publishing content. It allows a plugin or theme to interact directly with the website database without compromising security… if properly coded.
The WordPress REST-API documentation states:
“…the most important thing to understand about the API is that it enables the block editor and modern plugin interfaces without compromising the security or privacy of your site.”
The WordPress REST-API is supposed to be secure.
Unfortunately, all websites using OptinMonster had their security compromised because of how OptinMonster implemented the WordPress REST-API.
Majority of REST-API Endpoints Compromised
REST-API endpoints are URLs that represent the posts and pages on a WordPress site that a plugin or theme can modify and manipulate.
But according to Wordfence, almost every single REST-API endpoint in OptinMonster was improperly coded, compromising website security.
Wordfence slammed OptinMonster’s REST-API implementation:
“…the majority of the REST-API endpoints were insecurely implemented, making it possible for unauthenticated attackers to access many of the various endpoints on sites running a vulnerable version of the plugin.
…nearly every other REST-API endpoint registered in the plugin was vulnerable to authorization bypass due to insufficient capability checking allowing unauthenticated visitors, or in some cases authenticated users with minimal permissions, to perform unauthorized actions.”
Unauthenticated means an attacker that isn’t registered in any way with the website being attacked.
Some vulnerabilities require an attacker to be registered as a subscriber or contributor, which makes it a little harder to attack a site, especially if a site doesn’t accept subscriber registrations.
This vulnerability had no such barrier at all, no authentication was necessary to exploit OptinMonster, which is a worst-case scenario compared to authenticated exploits.
Wordfence warned about how bad an attack on a website using OptinMonster could be:
Recommended Course of Action
Wordfence notified the publishers of OptinMonster and about ten days later released an updated version of the OptinMonster that plugged all of the security holes.
The most secure version of OptinMonster is version 2.6.5.
Wordfence recommends that all users of the OptinMonster update their plugin:
“We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available, which is version 2.6.5 at the time of this publication.”
WordPress offers documentation on best practices for REST-API and asserts that it is a secure technology.
So if these kinds of security issues aren’t supposed to occur, why do they keep on happening?
The WordPress documentation on best practices for the REST-API states:
“…it enables the block editor and modern plugin interfaces without compromising the security or privacy of your site.”
With over a million sites affected by this vulnerability one has to wonder why, if best practices exist, this kind of vulnerability happened on the highly popular OptinMonster plugin.
While this isn’t the fault of WordPress itself, this kind of thing does reflect negatively on the entire WordPress ecosystem.
Read the Report About OptinMonster at Wordfence
Google December Product Reviews Update Affects More Than English Language Sites? via @sejournal, @martinibuster
Google’s Product Reviews update was announced to be rolling out to the English language. No mention was made as to if or when it would roll out to other languages. Mueller answered a question as to whether it is rolling out to other languages.
Google December 2021 Product Reviews Update
On December 1, 2021, Google announced on Twitter that a Product Review update would be rolling out that would focus on English language web pages.
Our December 2021 product reviews update is now rolling out for English-language pages. It will take about three weeks to complete. We have also extended our advice for product review creators: https://t.co/N4rjJWoaqE
— Google Search Central (@googlesearchc) December 1, 2021
The focus of the update was for improving the quality of reviews shown in Google search, specifically targeting review sites.
A Googler tweeted a description of the kinds of sites that would be targeted for demotion in the search rankings:
“Mainly relevant to sites that post articles reviewing products.
Think of sites like “best TVs under $200″.com.
Goal is to improve the quality and usefulness of reviews we show users.”
Continue Reading Below
Google also published a blog post with more guidance on the product review update that introduced two new best practices that Google’s algorithm would be looking for.
The first best practice was a requirement of evidence that a product was actually handled and reviewed.
The second best practice was to provide links to more than one place that a user could purchase the product.
The Twitter announcement stated that it was rolling out to English language websites. The blog post did not mention what languages it was rolling out to nor did the blog post specify that the product review update was limited to the English language.
Google’s Mueller Thinking About Product Reviews Update
Product Review Update Targets More Languages?
The person asking the question was rightly under the impression that the product review update only affected English language search results.
Continue Reading Below
But he asserted that he was seeing search volatility in the German language that appears to be related to Google’s December 2021 Product Review Update.
This is his question:
“I was seeing some movements in German search as well.
So I was wondering if there could also be an effect on websites in other languages by this product reviews update… because we had lots of movement and volatility in the last weeks.
…My question is, is it possible that the product reviews update affects other sites as well?”
John Mueller answered:
“I don’t know… like other languages?
My assumption was this was global and and across all languages.
But I don’t know what we announced in the blog post specifically.
But usually we try to push the engineering team to make a decision on that so that we can document it properly in the blog post.
I don’t know if that happened with the product reviews update. I don’t recall the complete blog post.
But it’s… from my point of view it seems like something that we could be doing in multiple languages and wouldn’t be tied to English.
And even if it were English initially, it feels like something that is relevant across the board, and we should try to find ways to roll that out to other languages over time as well.
So I’m not particularly surprised that you see changes in Germany.
But I also don’t know what we actually announced with regards to the locations and languages that are involved.”
Does Product Reviews Update Affect More Languages?
While the tweeted announcement specified that the product reviews update was limited to the English language the official blog post did not mention any such limitations.
Google’s John Mueller offered his opinion that the product reviews update is something that Google could do in multiple languages.
One must wonder if the tweet was meant to communicate that the update was rolling out first in English and subsequently to other languages.
It’s unclear if the product reviews update was rolled out globally to more languages. Hopefully Google will clarify this soon.
Google Blog Post About Product Reviews Update
Google’s New Product Reviews Guidelines
John Mueller Discusses If Product Reviews Update Is Global
Watch Mueller answer the question at the 14:00 Minute Mark
Three critical keyword research trends you must embrace
Employee-Generated Content: Tips To Inspire Interest
Six Reasons to Play Ogre
The Ultimate Guide to On-Page SEO in 2022
Google Can Show Video Thumbnails In Search Even Without Embedding Video On Page
What Is Personal Branding & 4 Reasons Why It’s Important
TikTok Launches New ‘Branded Mission’ Creator Monetization and UGC Promotion Process
Everything you should know about evaluating your competitor’s backlink profile
Everything You Need To Know
How To Choose the Best Distribution Channels for Your Content
LinkedIn Adds Live Captions for Audio Events, Custom URL Listings on Creator Profiles
LinkedIn Shares New Insights into the Brand Benefits of Adopting Sustainability Best Practices [Infographic]
Google Ads Automated Rules Conditions Not Sticking
Six Ways to Adjust Google Ads to Save Budget
How to Win Potential Consumers with Customer Journey Mapping on Google
Google Search With Larger Images Again On Desktop Results
Daily Search Forum Recap: May 2, 2022
How Does Google Multisearch Affect SEO?
Where To Invest In SEO For Maximum Impact
Start an Affiliate Marketing Side Hustle to Bring in Passive Income
SEO7 days ago
What’s A Good Cost Per Acquisition (CPA)? Ask The PPC
PPC2 days ago
Three Key Moments You Can’t Miss at Hero Conf London 2022
SEARCHENGINES4 days ago
Google Search Console Performance Reports Logs Additional Desktop Features
SEO3 days ago
Google Ads Makes Automation Easier With Scripts Updates