High-Severity OttoKit Vulnerability (CVE-2025-3102) Under Active Exploitation: WordPress Sites at Risk

A high-severity vulnerability affecting the OttoKit plugin for WordPress, formerly known as SureTriggers, is currently being actively exploited just hours after public disclosure, prompting urgent calls for users to update immediately.

The flaw, tracked as CVE-2025-3102 and rated 8.1 on the CVSS scale, is an authorization bypass vulnerability that could allow threat actors to create unauthorized administrator accounts under specific conditions—potentially granting full control over affected WordPress websites.

According to István Márton of Wordfence, the vulnerability stems from a missing check for empty values in the authenticate_user function of the plugin, specifically concerning the secret_key field. This bug affects all versions up to and including 1.0.78.

"This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key," Márton explained.

Widespread Exploitation in Progress

The vulnerability was originally discovered and responsibly disclosed by security researcher Michael Mazzolini (known online as mikemyers) on March 13, 2025. A patch was released on April 3, 2025, with the issue resolved in version 1.0.79.

Despite the fix, attackers wasted no time in launching exploitation campaigns. According to WordPress security company Patchstack, cybercriminals are using randomly generated usernames—such as "xtw1838783bc"—to establish rogue admin accounts. These usernames, along with passwords and email addresses, vary with each attack, making detection more difficult.

Current attack traffic has been traced to at least two IP addresses:

• IPv6: 2a01:e5c0:3167::2

• IPv4: 89.169.15.201

  
  

Limited but Significant Exposure

While OttoKit boasts over 100,000 active installations, only a subset of websites is considered exploitable. The vulnerability requires that the plugin be installed and activated but not configured, a state that still leaves many sites vulnerable due to overlooked setup processes.

OttoKit is widely used to automate tasks across WordPress environments by linking different plugins and apps through workflow integrations, making it a high-value target for attackers.

Immediate Action Required

WordPress site owners using OttoKit are strongly advised to:

• Update the plugin to version 1.0.79 or later

• Inspect admin user lists for suspicious accounts

• Remove any unauthorized or unfamiliar administrators

• Monitor for unusual activity or redirections on their sites

  
  

Given the active exploitation, time is of the essence. Failure to patch this vulnerability could result in complete website compromise, data loss, SEO damage, and reputation harm due to malware or spam distribution.