Hackers started exploiting a high-severity flaw that allows bypassing authentication in the OttoKit (formerly SureTriggers) plugin for WordPress just hours after public disclosure.
Users are strongly recommended to upgrade to the latest version of OttoKit/SureTriggers, currently 1.0.79, released at the beginning of the month.
The OttoKit WordPress plugin allows users to connect plugins and external tools like WooCommerce, Mailchimp, and Google Sheets, automate tasks like sending emails and adding users, or updating CRMs without code. Statistics show that the product is active on 100,000 websites.
Yesterday, Wordfence disclosed an authentication bypass vulnerability in OttoKit, identified as CVE-2025-3102. The flaw impacts all versions of SureTriggers/OttoKit up to 1.0.78.
The flaw stems from a missing empty value check in the authenticate_user() function, which handles REST API authentication. Exploitation to be possible if the plugin is not configured with an API key, which causes the stored secret_key to remain empty.
An attacker could exploit this by sending an empty st_authorization header to pass the check and grant unauthorized access to protected API endpoints.
Essentially, CVE-2025-3102 allows attackers to create new administrator accounts without authentication, posing a high risk of full site takeover.
Wordfence received a report about the flaw from security researcher ‘mikemyers’, who earned a bounty of $1,024 for the discovery in mid-March.
The plugin vendor was contacted on April 3 with the full exploitation details, and they released a fix via version 1.0.79 on the same day.
However, hackers quickly jumped at the opportunity to exploit the issue, taking advantage of administrators’ delay in updating the plugin to address the security problem.
Researchers at WordPress security platform Patchstack are warning that the first exploitation attempts in the wild were logged only a few hours after the disclosure of the flaw.
“Attackers were quick to exploit this vulnerability, with the first recorded attempt occurring just four hours after it was added as a vPatch to our database,” reports Patchstack.
“This swift exploitation highlights the critical need to apply patches or mitigations immediately upon the public disclosure of such vulnerabilities,” the researchers say.
The threat actors attempt to create new administrator accounts using randomized username/password and email address combination, a sign of task automation.
If you’re using OttoKit/SureTriggers, upgrade to version 1.0.79 as soon as possible and check logs for unexpected admin accounts or other user roles, installation of plugins/themes, database access events, and modification of security settings.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
