CVE-2025-3102: OttoKit WordPress Plugin Exploit Gives Hackers Full Site Control

By /
ottokit wordpress

A serious security vulnerability in the popular OttoKit WordPress plugin (formerly known as SureTriggers) is being actively exploited by hackers — just hours after it was publicly disclosed. The flaw, tracked as CVE-2025-3102, allows attackers to bypass authentication and create administrator accounts, potentially giving them full control over affected websites.

With over 100,000 active installations, OttoKit is widely used by WordPress site owners to connect plugins and third-party services like WooCommerce, Mailchimp, and Google Sheets. It automates routine tasks such as sending emails, adding users, and updating CRMs — all without needing to write code.

The Vulnerability

The vulnerability resides in OttoKit versions 1.0.78 and earlier. It was found in the authenticate_user() function, which handles REST API authentication. The issue is due to a missing check for an empty secret key when the plugin is not configured with an API key.

If the plugin is installed and activated but not configured, the secret_key remains blank. Attackers can exploit this by sending a request with an empty st_authorization header, tricking the system into treating them as authenticated users.

This means they can gain unauthorized access to protected API endpoints and create new admin accounts, without knowing any passwords.

Update to Version 1.0.79

The plugin developers were notified of the issue on April 3, 2025, and quickly released a patched version, OttoKit 1.0.79, the same day. If you are using an older version of the plugin, it’s critical that you update immediately.

Failing to do so could allow attackers to:

  • Create unauthorized admin accounts

  • Install malicious plugins or themes

  • Modify your site’s settings

  • Steal sensitive data

  • Redirect users to harmful websites

  • Spread malware or spam from your domain

The Exploitation

Very fast. According to WordPress security company Patchstack, the first exploitation attempts were seen just four hours after the vulnerability was disclosed.

“Attackers were quick to exploit this vulnerability, with the first recorded attempt occurring just four hours after it was added as a vPatch to our database,” Patchstack reported.

This highlights a major issue in the WordPress ecosystem: the lag between patch release and user updates, which gives cybercriminals a golden opportunity.

How Attackers Are Exploiting It

Cybersecurity experts have observed attackers automating the process to create bogus admin accounts with randomized usernames, passwords, and email addresses.

One of the example admin usernames created during these attacks was “xtw1838783bc” — clearly a randomly generated string. This kind of automation helps attackers deploy mass exploitation campaigns quickly and silently.

These attacks have so far been traced to two IP addresses:

  • 2a01:e5c0:3167::2 (IPv6)

  • 89.169.15.201 (IPv4)

While not all 100,000 OttoKit users are vulnerable — since the exploit depends on the plugin being unconfigured with an API key — even a small percentage of exposed websites represents a significant risk.

patch now

Who Found the Flaw?

The vulnerability was discovered by Michael Mazzolini, also known as mikemyers, a respected security researcher. He reported the issue on March 13, 2025, and received a bug bounty of $1,024 for his responsible disclosure.

Security firm Wordfence also published a detailed technical advisory on the vulnerability, explaining how the lack of a basic input check in the authenticate_user() function created the door for attackers to walk through.

What Should You Do Now?

If you are using OttoKit (or previously SureTriggers), take the following steps immediately:

  1. Update the Plugin: Upgrade to version 1.0.79 right away. This version includes a fix that closes the vulnerability.

  2. Audit Admin Users: Check your site’s user list for unknown or suspicious admin accounts. Delete any you don’t recognize.

  3. Review Activity Logs:

    • Look for strange login attempts

    • Check for unexpected plugin or theme installations

    • Review any changes to database or settings

  4. Enable API Key: Make sure your OttoKit plugin is properly configured with an API key to avoid similar issues in the future.

  5. Install a Security Plugin: Consider using tools like Wordfence, Sucuri, or Patchstack to monitor and protect your site from future threats.

Conclusion

This incident serves as a critical reminder that speed matters in cybersecurity. As soon as a vulnerability is disclosed — even before most people are aware — hackers are already scanning for ways to exploit it.

The OttoKit plugin’s popularity and its powerful automation capabilities made it a prime target. If you manage a WordPress website and rely on third-party plugins, it’s crucial to stay up-to-date with security patches and best practices.

Follow us on x twitter (Twitter) for real time updates and exclusive content.

Interesting Article : CVE-2025-30406, CentreStack Vulnerability Lets Hackers Remotely Control Servers

Scroll to Top