A newly disclosed high-severity safety flaw impacting OttoKit (previously SureTriggers) has come underneath energetic exploitation inside a number of hours of public disclosure.
The vulnerability, tracked as CVE-2025-3102 (CVSS rating: 8.1), is an authorization bypass bug that would allow an attacker to create administrator accounts underneath sure situations and take management of inclined web sites.
“The SureTriggers: All-in-One Automation Platform plugin for WordPress is susceptible to an authentication bypass resulting in administrative account creation as a result of a lacking empty worth test on the ‘secret_key’ worth within the ‘autheticate_user’ operate in all variations as much as, and together with, 1.0.78,” Wordfence’s István Márton mentioned.
“This makes it potential for unauthenticated attackers to create administrator accounts on the goal web site when the plugin is put in and activated however not configured with an API key.”
Profitable exploitation of the vulnerability might allow an attacker to achieve full management over a WordPress website and leverage the unauthorized entry to add arbitrary plugins, make malicious modifications to serve malware or spam, and even redirect website guests to different sketchy web sites.
Safety researcher Michael Mazzolini (aka mikemyers) has been credited with discovering and reporting the flaw on March 13, 2025. The difficulty has been addressed in model 1.0.79 of the plugin launched on April 3, 2025.
OttoKit affords the power for WordPress customers to attach totally different apps and plugins by workflows that can be utilized to automate repetitive duties.
Whereas the plugin has over 100,000 energetic installations, it bears noting that solely a subset of the web sites are literally exploitable as a result of the truth that it hinges on the plugin to be in a non-configured state regardless of being put in and activated.
That mentioned, attackers have already jumped in on the exploitation bandwagon, making an attempt to shortly capitalize on the disclosure to create bogus administrator accounts with the title “xtw1838783bc,” per Patchstack.
“Since it’s randomized it’s extremely more likely to assume that username, password, and e-mail alias will likely be totally different for every exploitation try,” the WordPress safety firm mentioned.
The assault makes an attempt have originated from two totally different IP addresses –
- 2a01:e5c0:3167::2 (IPv6)
- 89.169.15.201 (IPv4)
In mild of energetic exploitation, WordPress website homeowners counting on the plugin are suggested to use the updates as quickly as potential for optimum safety, test for suspicious admin accounts, and take away them.
