? WordPress Plugin Vulnerability Actively Exploited: OttoKit Users at Risk
April 11, 2025 – By Ravie Lakshmanan
Website Security / Vulnerability
A critical security flaw in the popular WordPress plugin OttoKit (formerly known as SureTriggers) is being actively exploited just hours after its public disclosure.
Tracked as CVE-2025-3102 with a CVSS score of 8.1, the vulnerability allows attackers to bypass authentication and create admin-level accounts, potentially taking full control of vulnerable WordPress sites.
According to Wordfence researcher István Márton, the flaw stems from a missing validation check in the plugin's
authenticate_user
function. This affects all versions up to and including 1.0.78 of the plugin.
“Unauthenticated attackers can exploit the bug to create admin accounts if the plugin is active but hasn’t been configured with an API key,” said Márton.
What’s at risk?
If successfully exploited, attackers can:
-Upload malicious plugins
[*]-Inject malware or spam into the site
[*]-Redirect visitors to malicious or scam websites
-The issue was responsibly disclosed by security researcher Michael Mazzolini (aka mikemyers) on March 13, 2025, and a patch was released on April 3, 2025 in version 1.0.79.
-About OttoKit
OttoKit allows WordPress users to automate tasks by connecting different plugins and apps. While it boasts 100,000+ active installs, not all are at risk. Only websites where the plugin is installed and activated but left unconfigured are vulnerable.
Exploitation in the Wild
Cybercriminals wasted no time. Attacks have already begun, with hackers creating fake admin accounts under usernames like "xtw1838783bc". According to Patchstack, these account details are randomized for each attack attempt.
Two IP addresses have been linked to the activity:
If you use OttoKit on your WordPress site:
April 11, 2025 – By Ravie Lakshmanan
Website Security / Vulnerability
A critical security flaw in the popular WordPress plugin OttoKit (formerly known as SureTriggers) is being actively exploited just hours after its public disclosure.
Tracked as CVE-2025-3102 with a CVSS score of 8.1, the vulnerability allows attackers to bypass authentication and create admin-level accounts, potentially taking full control of vulnerable WordPress sites.
According to Wordfence researcher István Márton, the flaw stems from a missing validation check in the plugin's
authenticate_user
function. This affects all versions up to and including 1.0.78 of the plugin.
“Unauthenticated attackers can exploit the bug to create admin accounts if the plugin is active but hasn’t been configured with an API key,” said Márton.
What’s at risk?
If successfully exploited, attackers can:
-Upload malicious plugins
[*]-Inject malware or spam into the site
[*]-Redirect visitors to malicious or scam websites
-The issue was responsibly disclosed by security researcher Michael Mazzolini (aka mikemyers) on March 13, 2025, and a patch was released on April 3, 2025 in version 1.0.79.
-About OttoKit
OttoKit allows WordPress users to automate tasks by connecting different plugins and apps. While it boasts 100,000+ active installs, not all are at risk. Only websites where the plugin is installed and activated but left unconfigured are vulnerable.
Exploitation in the Wild
Cybercriminals wasted no time. Attacks have already begun, with hackers creating fake admin accounts under usernames like "xtw1838783bc". According to Patchstack, these account details are randomized for each attack attempt.
Two IP addresses have been linked to the activity:
- IPv6:
2a01:e5c0:3167::2
- IPv4:
89.169.15.201
If you use OttoKit on your WordPress site:
- Update the plugin to version 1.0.79 immediately
- Review your admin user list for suspicious accounts
- Delete any unknown admin users