Hackers began exploiting a high-severity authentication bypass vulnerability in the OttoKit WordPress plugin just hours after its public disclosure, posing a significant risk to users.
The OttoKit WordPress plugin, formerly known as SureTriggers, allows users to connect various plugins and external tools like WooCommerce, Mailchimp, and Google Sheets to automate tasks without code. With the plugin active on 100,000 websites, the vulnerability identified as CVE-2025-3102 impacts all versions up to 1.0.78.
The flaw stems from a missing empty value check in the authenticate_user() function, which handles REST API authentication. If the plugin is not configured with an API key, the stored secret_key remains empty, allowing exploitation. An attacker can exploit this vulnerability by sending an empty st_authorization header, thereby bypassing authentication and gaining unauthorized access to protected API endpoints.
Essentially, CVE-2025-3102 enables attackers to create new administrator accounts without authentication, potentially leading to full site takeover. The vulnerability was reported to Wordfence by security researcher ‘mikemyers’ in mid-March, who received a $1,024 bounty for the discovery.
The plugin vendor was notified on April 3rd and released a fix in version 1.0.79 on the same day. However, exploitation attempts began just hours after the public disclosure of the vulnerability. Researchers at Patchstack reported that the first exploitation attempt was logged just four hours after the vulnerability was added to their database.
Attackers are attempting to create new administrator accounts with randomized username, password, and email address combinations, indicating automated attacks. Users of the OttoKit/SureTriggers plugin are strongly advised to upgrade to version 1.0.79 immediately and check logs for suspicious activity, such as new admin accounts, installation of plugins or themes, database access events, and modification of security settings.
