Critical OttoKit WordPress Plugin Vulnerability Actively Exploited

TL;DR

A severe vulnerability in the OttoKit WordPress plugin, identified as CVE-2025-3102, is being actively exploited. The flaw allows attackers to create malicious admin users on unconfigured sites, enabling full site takeovers. Users are advised to update immediately to mitigate risks.

Critical OttoKit WordPress Plugin Vulnerability Actively Exploited

Overview

A recently disclosed vulnerability in the OttoKit WordPress plugin (formerly SureTriggers) is being actively exploited by threat actors. Tracked as CVE-2025-3102 with a CVSS score of 8.1, this flaw allows attackers to create malicious administrator accounts on unconfigured sites. The issue arises from an authentication bypass due to a missing value check on the ‘secret_key’ in the ‘authenticate_user’ function.

Vulnerability Details

The OttoKit plugin, widely used for automating actions across websites and apps, contains a critical security flaw. When the plugin is installed and activated but not configured with an API key, unauthenticated attackers can exploit this vulnerability to create administrator accounts. This enables attackers to:

• Fully take over a WordPress site.
• Upload malicious plugins.
• Alter site content.
• Serve malware or spam.
• Redirect visitors to malicious websites.

Technical Insights

According to the advisory, the vulnerability exists in versions up to and including 1.0.78. The issue is described as follows:

“The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the ‘secret_key’ value in the ‘authenticate_user’ function in all versions up to, and including, 1.0.78.”¹

This flaw allows attackers to bypass authentication by sending an empty key, resulting in the creation of an admin account and full site takeover.

Impact and Mitigation

Wordfence researchers report that over 100,000 sites use the vulnerable plugin, although only a subset is exploitable due to the flaw’s requirement for an unconfigured plugin. The WordPress cybersecurity firm strongly advises immediate updates, as the flaw is actively being exploited.

PatchStack researchers have confirmed active exploitation attempts, with attackers creating administrator accounts with names like “xtw1838783bc”. Users are urged to update to the latest version and look for indicators of compromise (IOCs) such as newly created accounts, recently installed plugins/themes, or modified content².

Recommendations

To mitigate the risk, WordPress site administrators should:

• Immediately update the OttoKit plugin to version 1.0.79 or later.
• Review and remove any suspicious administrator accounts.
• Monitor for any unauthorized changes or installations.

Conclusion

The rapid exploitation of the OttoKit plugin vulnerability underscores the importance of prompt updates and vigilant monitoring. By staying informed and proactive, site administrators can protect their WordPress installations from potential attacks and ensure the security of their digital assets.

For more details, visit the full article: source

Additional Resources

For further insights, check:

• Wordfence Blog
• PatchStack Article
• CVE Details

References

1. “CVE-2025-3102 Detail”. (2025). “CVE-2025-3102 Detail”. CVE. Retrieved 2025-04-12. ↩︎

2. PatchStack. (2025). “Critical SureTriggers Plugin Vulnerability Exploited Within 4 Hours”. PatchStack. Retrieved 2025-04-12. ↩︎