A newly disclosed high-severity security flaw impacting OttoKit (formerly SureTriggers) has come under active exploitation within a few hours of public disclosure.
The vulnerability, tracked as CVE-2025-3102 (CVSS score: 8.1), is an authorization bypass bug that could permit an attacker to create administrator accounts under certain conditions and take control of susceptible websites.
“The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the ‘secret_key’ value in the ‘autheticate_user’ function in all versions up to, and including, 1.0.78,” Wordfence’s István Márton said.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.”
Successful exploitation of the vulnerability could permit an attacker to gain complete control over a WordPress site and leverage the unauthorized access to upload arbitrary plugins, make malicious modifications to serve malware or spam, and even redirect site visitors to other sketchy websites.
Security researcher Michael Mazzolini (aka mikemyers) has been credited with discovering and reporting the flaw on March 13, 2025. The issue has been addressed in version 1.0.79 of the plugin released on April 3, 2025.
OttoKit offers the ability for WordPress users to connect different apps and plugins through workflows that can be used to automate repetitive tasks.
While the plugin has over 100,000 active installations, it bears noting that only a subset of the websites are actually exploitable due to the fact that it hinges on the plugin to be in a non-configured state despite being installed and activated.
That said, attackers have already jumped in on the exploitation bandwagon, attempting to quickly capitalize on the disclosure to create bogus administrator accounts with the name “xtw1838783bc,” per Patchstack.
“Since it is randomized it is highly likely to assume that username, password, and email alias will be different for each exploitation attempt,” the WordPress security company said.
The attack attempts have originated from two different IP addresses –
- 2a01:e5c0:3167::2 (IPv6)
- 89.169.15.201 (IPv4)
In light of active exploitation, WordPress site owners relying on the plugin are advised to apply the updates as soon as possible for optimal protection, check for suspicious admin accounts, and remove them.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Incomplete Patch in NVIDIA Toolkit Leaves CVE-2024-0132 Open to Container Escapes