A severe vulnerability, CVE-2025-3102, was discovered in the OttoKit (formerly SureTriggers) plugin for WordPress. This flaw, an authorization bypass, allows unauthenticated attackers to create administrator accounts without needing an API key. The vulnerability, found in the authenticate_user() function, exposes sites using the plugin to full control by attackers who can install malicious plugins, alter site configurations, and redirect users to harmful sites. The vulnerability affects all versions up to 1.0.78, and attackers quickly began exploiting it after its public disclosure.
The flaw was reported by security researcher Michael Mazzolini in March 2025, and a patch was made available on April 3, 2025, through version 1.0.79. However, despite the swift release of the fix, attackers began exploiting the vulnerability within hours of its disclosure. The exploit attempts involved creating new administrator accounts using randomized credentials, showing signs of automated attack strategies. Researchers have identified multiple IP addresses used in these attacks, including both IPv4 and IPv6 sources.
OttoKit, which is installed on over 100,000 websites, facilitates automation for WordPress users by connecting external apps and plugins. This functionality, while beneficial, made the plugin an attractive target for cybercriminals aiming to take control of vulnerable sites. The flaw only affects sites where OttoKit is installed but not properly configured with an API key, which leaves the secret_key value empty and vulnerable to exploitation. Once exploited, attackers can bypass authentication checks to gain administrative control over the site.
Given the active exploitation, WordPress site administrators using OttoKit/SureTriggers are advised to immediately upgrade to version 1.0.79 and review logs for any suspicious activity, including unexpected admin accounts. The urgency of applying the patch reflects the high severity of the vulnerability, as successful exploitation can lead to complete website compromise. Admins should also inspect their sites for any unusual modifications or unauthorized access to mitigate the risks associated with this flaw.
