Vulnerabilities in OptinMonster, an email marketing plugin for WordPress, left more than a million websites open to exploitation, security researchers at Wordfence warn.
Left unaddressed, the flaws make it possible for an unauthenticated attacker to export sensitive information and add malicious JavaScript to vulnerable WordPress sites, among other exploits. The Wordfence Threat Intelligence team notified developers of the plugin about the problem on September 28. A fully patched edition of OptinMonster, version 2.6.5, was released on October 7.