CVE-2021-39341: 
WordPress vulnerability analysis and mitigation

The OptinMonster WordPress plugin (versions up to and including 2.6.4) was identified with a vulnerability tracked as CVE-2021-39341. The vulnerability involves sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation in the loggedinorhasapi_key function within the ~/OMAPI/RestApi.php file (CVE Details, WPScan).

The vulnerability stems from missing appropriate capability checks on several REST-API endpoints. This security flaw allows unauthenticated attackers and authenticated users with low privileges to perform unauthorized actions and access sensitive information, including the app.optinmonster.com API key. The vulnerability has been assigned a CVSS score of 7.2 (High), indicating significant severity (WPScan, Wordfence Blog).

The vulnerability affected approximately 1,000,000 WordPress sites using the OptinMonster plugin. The security flaw exposed sensitive information and allowed unauthorized users to modify settings, potentially compromising the security of affected websites (Wordfence Blog).

The vulnerability was fixed in OptinMonster version 2.6.5. Website administrators using affected versions were advised to update their OptinMonster plugin to the latest version to protect against potential exploits (WPScan).