A newly disclosed high-severity security flaw impacting OttoKit (formerly SureTriggers) has come under active exploitation within a few hours of public disclosure.
The vulnerability, tracked as CVE-2025-3102 (CVSS score: 8.1), is an authorization bypass bug that could permit an attacker to create administrator accounts under certain conditions and take control of susceptible websites.
“The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the ‘secret_key’ value in the ‘autheticate_user’ function in all versions up to, and including, 1.0.78,” Wordfence’s István Márton said.
“This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.”
Successful exploitation of the vulnerability could permit an attacker to gain complete control over a WordPress site and leverage the unauthorized access to upload arbitrary plugins, make malicious modifications to serve malware or spam, and even redirect site visitors to other sketchy websites.
Security researcher Michael Mazzolini (aka mikemyers) has been credited with discovering and reporting the flaw on March 13, 2025. The issue has been addressed in version 1.0.79 of the plugin released on April 3, 2025.
OttoKit offers the ability for WordPress users to connect different apps and plugins through workflows that can be used to automate repetitive tasks.
While the plugin has over 100,000 active installations, it bears noting that only a subset of the websites are actually exploitable due to the fact that it hinges on the plugin to be in a non-configured state despite being installed and activated.
That said, attackers have already jumped in on the exploitation bandwagon, attempting to quickly capitalize on the disclosure to create bogus administrator accounts with the name “xtw1838783bc,” per Patchstack.
“Since it is randomized it is highly likely to assume that username, password, and email alias will be different for each exploitation attempt,” the WordPress security company said.
The attack attempts have originated from two different IP addresses –
- 2a01:e5c0:3167::2 (IPv6)
- 89.169.15.201 (IPv4)
In light of active exploitation, WordPress site owners relying on the plugin are advised to apply the updates as soon as possible for optimal protection, check for suspicious admin accounts, and remove them.
