A newly uncovered, high-severity vulnerability affects the OttoKit plugin for WordPress, formerly known as SureTriggers. This flaw has reportedly been exploited within mere hours of its public disclosure, posing a significant risk to website security.
Identified as CVE-2025-3102, this vulnerability carries a CVSS score of 8.1 due to an authorization bypass issue. It allows malicious actors to potentially create administrator accounts under specific conditions, enabling unauthorized control over affected websites.
According to Wordfence’s István Márton, the vulnerability arises from an inadequate check for empty values regarding the ‘secret_key’ parameter in the ‘authenticate_user’ function. This defect is present in all versions of the plugin up to and including 1.0.78. As a result, unauthenticated attackers can create administrative accounts on websites where the plugin is installed and activated but lacks proper API key configuration.
Exploiting this flaw could grant attackers complete control of compromised WordPress sites. Such unauthorized access enables the uploading of arbitrary plugins, implementation of malicious modifications, and redirection of site visitors to potentially dangerous web pages. The defect was initially discovered by security researcher Michael Mazzolini, credited with reporting the issue on March 13, 2025. The vulnerability was subsequently patched in version 1.0.79 of the plugin, released on April 3, 2025.
OttoKit serves as a crucial tool for WordPress users, facilitating the integration of various apps and plugins through workflows designed to automate repetitive tasks. Despite boasting over 100,000 active installations, it’s important to note that only a segment of these websites remains vulnerable. This limitation stems from the fact that exploitation requires the plugin to be in an unconfigured state, despite being installed and activated.
The rapid exploitation efforts are evident, with attackers swiftly attempting to create fraudulent administrator accounts using randomized usernames like “xtw1838783bc” or “test123123.” According to Patchstack, these attempts showcase a level of automation, making it likely that each exploitation will yield different username, password, and email combinations.
Attacks have been traced back to four distinct IP addresses, indicating a broad and proactive approach by cybercriminals aiming to capitalize on the vulnerability. As these developments unfold, WordPress site owners relying on the OttoKit plugin are urged to install updates immediately to mitigate risks. It is also critical to monitor for any suspicious administrative accounts and remove them as necessary.
Given the nature of this incident, potential MITRE ATT&CK adversary tactics may include initial access through exploitation of vulnerabilities, privilege escalation by creating administrative accounts, and persistence to maintain control over compromised sites. As exploitation continues to evolve, it is essential for businesses to stay vigilant and take proactive steps to secure their digital assets.
This article has been updated with additional information regarding indicators of compromise.
