In a concerning development for WordPress users, hackers have begun exploiting a critical vulnerability that allows unauthorized access to the OttoKit (formerly known as SureTriggers) plugin. This high-severity flaw was publicly disclosed, and exploitation activity was detected within mere hours, underscoring the urgency of implementing appropriate cybersecurity measures.
To safeguard your website, it is imperative to upgrade to the latest version of the OttoKit plugin, now available as version 1.0.79, which was released at the beginning of this month. This version addresses the authentication bypass vulnerability, designated as CVE-2025-3102, that impacts all previous versions up to 1.0.78.
Understanding the OttoKit Plugin
The OttoKit WordPress plugin facilitates seamless integration with various external tools and plugins, including WooCommerce, Mailchimp, and Google Sheets. It enables users to automate a wide range of tasks, such as sending emails, managing user additions, and updating customer relationship management (CRM) systems—all without requiring code. Currently, OttoKit is active on approximately 100,000 websites.
The Vulnerability: CVE-2025-3102
Discovered by security researcher ‘mikemyers’, the CVE-2025-3102 vulnerability arises from an incomplete validation check within the authenticate_user() function, which is critical for REST API authentication. Specifically, the vulnerability allows exploitation in instances where the plugin has not been configured with an API key, leading to the potential for an empty stored secret_key.
Exploitation Methodology
An adversary can exploit this vulnerability by manipulating the system to send an empty st_authorization header, thereby bypassing authentication checks and gaining unauthorized access to secured API endpoints. This flaw empowers cybercriminals to create new administrator accounts without the requisite authentication, significantly escalating the risk of a complete site takeover.
The rapid reporting of the flaw to Wordfence, and the swift subsequent release of the patch by the plugin vendor, highlight both the criticality and the rapidity of the threat landscape. Following the vulnerability’s disclosure on April 3, the plugin vendor acted promptly, releasing the fix on the same day. Nonetheless, malicious actors were quick to exploit the oversight, taking advantage of any delays in administrative updates.
Proactive Measures for WordPress Users
Researchers from the WordPress security platform Patchstack have noted that the first exploitation attempts occurred shortly after the flaw’s announcement, with a recorded attempt taking place just four hours later. They emphasize the imperative nature of immediate patch application or mitigation strategies upon the disclosure of vulnerabilities.
According to Patchstack, “This swift exploitation underscores the critical need to apply patches immediately upon public disclosure of vulnerabilities.” The threat landscape is evolving, and attackers are increasingly employing automated methods to create new administrative accounts using randomized combinations of usernames, passwords, and email addresses.
Recommendations for Security Enhancements
For those utilizing the OttoKit/SureTriggers plugin, immediate action is essential. Upgrade to version 1.0.79 without delay and perform a thorough audit of your logs for any signs of unauthorized administrative accounts or anomalous changes:
- Check for unexpected creation of admin accounts or alterations in user roles.
- Monitor for any installations of unauthorized plugins or themes.
- Investigate database access events and modifications to security settings.
In conclusion, the security of your WordPress site depends on timely updates and proactive monitoring. Adhering to best practices in cybersecurity will ensure that you are equipped to address vulnerabilities as they arise, protecting both your website and its users from emerging threats.
To further enhance your understanding of the threat landscape and bolster your defenses, explore comprehensive insights into the top MITRE ATT&CK techniques derived from an analysis of 14 million malicious actions, available in the Red Report 2025.