The optinmonster plugin prior to 1.1.4.6 for WordPress has incorrect access control for shortcodes because of a nonce leak.
optinmonster optinmonster