A significant security flaw has been identified in the OttoKit WordPress plugin, formerly known as SureTriggers, which is actively being exploited by malicious actors. This vulnerability, designated as CVE-2025-3102 with a CVSS score of 8.1, allows unauthorized individuals to create administrator accounts under specific conditions, potentially leading to full control over affected websites.
The OttoKit plugin is designed to help WordPress users automate tasks by connecting various applications and plugins through customizable workflows. With over 100,000 active installations, it has become a popular tool for enhancing website functionality.
Details of the Vulnerability
The core issue lies in an authorization bypass within the ‘authenticate_user’ function of the plugin. Specifically, the function fails to properly check for empty values in the ‘secret_key’ parameter. This oversight enables unauthenticated attackers to create administrator accounts on websites where the plugin is installed and activated but not configured with an API key.
Security researcher Michael Mazzolini, also known as mikemyers, discovered and reported this flaw on March 13, 2025. The developers addressed the issue by releasing version 1.0.79 of the plugin on April 3, 2025.
Exploitation in the Wild
Shortly after the public disclosure of the vulnerability, attackers began exploiting it to create unauthorized administrator accounts. These accounts often have usernames like xtw1838783bc, though the specific username, password, and email address may vary with each attempt. The attacks have been traced back to two IP addresses:
– 2a01:e5c0:3167::2 (IPv6)
– 89.169.15.201 (IPv4)
It’s important to note that not all installations of the OttoKit plugin are vulnerable. The exploit is only possible on sites where the plugin is installed and activated but remains unconfigured, lacking an API key.
Potential Impact
If successfully exploited, this vulnerability allows attackers to gain complete control over a WordPress site. They can upload malicious plugins, alter website content to distribute malware or spam, and redirect visitors to harmful websites. Such unauthorized access can severely damage a site’s reputation, compromise user data, and lead to significant financial losses.
Recommendations for Website Owners
Given the active exploitation of this vulnerability, it’s crucial for WordPress site administrators using the OttoKit plugin to take immediate action:
1. Update the Plugin: Ensure that your OttoKit plugin is updated to version 1.0.79 or later. This version contains the necessary patches to fix the vulnerability.
2. Verify Plugin Configuration: After updating, confirm that the plugin is properly configured with an API key. This step is essential to prevent unauthorized access.
3. Audit Administrator Accounts: Review all administrator accounts on your site. Look for any unfamiliar accounts, especially those with suspicious usernames like xtw1838783bc. If found, remove them immediately.
4. Monitor for Suspicious Activity: Keep an eye on your site’s logs for any unusual activity, such as unexpected login attempts or changes to site content.
5. Implement Additional Security Measures: Consider using security plugins that offer features like two-factor authentication, firewall protection, and regular security scans to enhance your site’s defenses.
Broader Context
This incident underscores the importance of promptly addressing vulnerabilities in widely used plugins. In November 2024, a similar critical authentication bypass vulnerability was discovered in the Really Simple Security plugin, affecting over 4 million WordPress sites. That flaw, tracked as CVE-2024-10924 with a CVSS score of 9.8, allowed unauthenticated attackers to gain full administrative access to affected sites. The issue was patched in version 9.1.2 of the plugin.
These recurring vulnerabilities highlight the need for continuous vigilance and proactive security measures within the WordPress ecosystem.
Conclusion
The active exploitation of the CVE-2025-3102 vulnerability in the OttoKit WordPress plugin serves as a stark reminder of the critical importance of timely software updates and proper configuration. Website administrators must remain alert to emerging threats and take immediate action to secure their sites against potential attacks.
