OttoKit WordPress Plugin Admin Creation Vulnerability Under Active Exploitation

Apr 11, 2025Ravie LakshmananWebsite Security / Vulnerability

A newly disclosed high-severity security flaw impacting OttoKit (formerly SureTriggers) has come under active exploitation within a few hours of public disclosure.

The vulnerability, tracked as CVE-2025-3102 (CVSS score: 8.1), is an authorization bypass bug that could permit an attacker to create administrator accounts under certain conditions and take control of susceptible websites.

“The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the ‘secret_key’ value in the ‘autheticate_user’ function in all versions up to, and including, 1.0.78,” Wordfence’s István Márton said.

“This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.”

Successful exploitation of the vulnerability could permit an attacker to gain complete control over a WordPress site and leverage the unauthorized access to upload arbitrary plugins, make malicious modifications to serve malware or spam, and even redirect site visitors to other sketchy websites.

Security researcher Michael Mazzolini (aka mikemyers) has been credited with discovering and reporting the flaw on March 13, 2025. The issue has been addressed in version 1.0.79 of the plugin released on April 3, 2025.

OttoKit offers the ability for WordPress users to connect different apps and plugins through workflows that can be used to automate repetitive tasks.

While the plugin has over 100,000 active installations, it bears noting that only a subset of the websites are actually exploitable due to the fact that it hinges on the plugin to be in a non-configured state despite being installed and activated.

That said, attackers have already jumped in on the exploitation bandwagon, attempting to quickly capitalize on the disclosure to create bogus administrator accounts with the name “xtw1838783bc,” per Patchstack.

“Since it is randomized it is highly likely to assume that username, password, and email alias will be different for each exploitation attempt,” the WordPress security company said.

The attack attempts have originated from two different IP addresses –

• 2a01:e5c0:3167::2 (IPv6)
• 89.169.15.201 (IPv4)

In light of active exploitation, WordPress site owners relying on the plugin are advised to apply the updates as soon as possible for optimal protection, check for suspicious admin accounts, and remove them.

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!