Threat actors are actively exploiting a vulnerability in the OttoKit WordPress plugin,
placing numerous websites at risk of full compromise, according to a warning from WordPress security firm Defiant.
OttoKit, previously known as SureTriggers, is an automation plugin that helps site administrators connect various applications, websites, and other WordPress plugins. With over 100,000 active installations, the plugin is widely used, but a high-severity authentication bypass vulnerability could allow attackers to create new administrator accounts and take over affected sites.
The flaw, identified as CVE-2025-3102 and given a CVSS score of 8.1, stems from a missing empty value check in a function responsible for permission validation. Specifically, the function only checks whether the secret key in the header matches the one stored in the plugin's database. If the plugin hasn’t been configured with a key, an attacker can provide an empty value, which will match the default, unconfigured key, granting unauthorized access.
Once this bypass is successful, attackers can interact with the plugin’s REST API endpoint to carry out critical functions, such as creating administrative user accounts. This would enable them to manipulate the website as a legitimate administrator, including uploading malicious plugin or theme files, altering site content, redirecting users to harmful sites, or injecting spam.
However, this vulnerability only affects websites where the plugin has been installed and activated but not yet configured with an API key. While over 100,000 installations exist, Defiant notes that only a fraction are actually vulnerable due to this condition.
Despite the limited attack surface, the flaw has been confirmed to be exploited in the wild. Users are strongly advised to upgrade to OttoKit version 1.0.79 or later, which includes a patch for the issue. The vulnerability was responsibly disclosed to the plugin’s developer on April 3, and a fix was issued the same day.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
