A critical security vulnerability has been identified in the OttoKit WordPress plugin, formerly known as SureTriggers, sparking concerns about the safety of over 100,000 active installations. The vulnerability, tracked as CVE-2025-3102, allows unauthorized attackers to create administrator accounts on certain unconfigured websites, granting them full control. With a CVSS score of 8.1, this authorization bypass flaw primarily stems from the missing empty value check on the ‘secret_key’ in the ‘authenticate_user’ function present in versions up to 1.0.78 of the plugin.
The Discovery and Immediate Threat
Renowned security researcher Michael Mazzolini discovered the critical flaw and reported it on March 13, 2025. Following the disclosure, OttoKit developers quickly responded, releasing a patched version, 1.0.79, on April 3, 2025. Despite the prompt fix, attackers did not delay in attempting exploits, targeting websites where the OttoKit plugin remained installed and active but inadequately configured. These malevolent actors have been using randomly generated usernames to create fraudulent admin accounts. Wordfence researcher István Márton and Patchstack identified two specific IP addresses linked to these attacks, emphasizing the immediate risk.
OttoKit’s primary function involves the automation of various tasks by integrating different apps and plugins, making it a valuable tool for its users. However, its widespread adoption means a substantial number of sites could have been vulnerable. Although only an unconfigured subset of these installations were specifically at risk, the urgency for WordPress site owners to ensure their plugins are up-to-date and their security measures robust became immediately clear.
Responding to the Threat
As the news of exploits spread, site administrators were urged to take action. The immediate steps included updating the OttoKit plugin to the latest version, 1.0.79, which addresses the critical vulnerability. Owners were also advised to review their admin accounts rigorously, removing any suspicious users potentially created by unauthorized access. Enhancing overall security measures, such as implementing stronger password policies and considering multi-factor authentication, became priorities in preventing potential hijacks.
The response from WordPress site owners varied, with proactive administrators quickly securing their sites. Ensuring that plugins are always updated should be a key practice, as outdated plugins often become gateways for attackers. Continuous monitoring and regular audits of admin accounts and other critical components also play vital roles in maintaining website security and integrity.
Conclusion
A significant security vulnerability has been discovered in the OttoKit WordPress plugin, previously known as SureTriggers, raising alarms about the protection of over 100,000 active installations. This vulnerability, designated as CVE-2025-3102, enables unauthorized attackers to create administrator accounts on certain websites that are not properly configured, thereby granting them complete control over the site. The flaw has been assigned a CVSS score of 8.1, highlighting its severity. The core issue lies in an authorization bypass weakness, which arises from the absence of an empty value check on the ‘secret_key’ within the ‘authenticate_user’ function found in versions up to 1.0.78 of the plugin. Users of the OttoKit plugin are strongly urged to update to the latest version to mitigate any potential security risks. Ensuring that the plugin is properly configured and updated is essential to prevent unauthorized access and maintain the security of their WordPress websites.