Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.
Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on September 28, 2021. Sites still using the free version of Wordfence will receive the same protection on October 28, 2021.
We sent the full disclosure details to OptinMonster on September 28, 2021, after confirming the appropriate channel to handle communications.The OptinMonster team quickly acknowledged the report by releasing a patch the next day. We followed up to let them know some improvements were needed on the patch and a fully patched version was released as 2.6.5 on October 7, 2021.
We strongly recommend validating that your site has been updated to the latest patched version of OptinMonster which is 2.6.5 at the time of this