Introduction
A critical authentication bypass vulnerability [1] [4] [7], identified as CVE-2025-3102 [1] [2] [4] [5] [6] [7] [9] [10], has been discovered in the OttoKit plugin for WordPress [1] [10], previously known as SureTriggers [3] [6] [10]. This vulnerability poses a significant risk to websites using affected versions, potentially allowing unauthorized access and control.
Description
A high-severity authentication bypass vulnerability [1] [7], tracked as CVE-2025-3102 [1] [2] [4] [5] [6] [7] [9] [10], has been discovered in the OttoKit plugin for WordPress [1] [10], formerly known as SureTriggers [3] [6] [10]. This critical flaw affects all versions up to and including 1.0.78 and has a CVSS score of 8.1. The vulnerability arises from a failure in the plugin’s authenticateuser() function to properly validate an empty ST-Authorization HTTP header and a missing check on the secretkey parameter within its REST API. When the plugin is installed and activated without an API key [6], the secret_key value remains empty [4], allowing unauthorized users to bypass authentication and create new administrative accounts [4] [6] [8]. This poses a significant risk of complete website takeover, enabling attackers to upload malicious plugins [7], modify content to distribute malware or spam [7], and redirect site visitors to harmful websites [7].
The vulnerability was reported on March 13, 2025 [5], through the Wordfence Bug Bounty Program [5], and was publicly disclosed on April 3, 2025 [8]. Active exploitation began shortly thereafter, with attackers employing automated methods to target specific REST API endpoints, generating randomized usernames [1] [6] [8], passwords [6] [8], and unique email aliases to create admin-level accounts. One notable exploitation attempt was traced back to the IP address 89.169.15.201 [10], highlighting the urgency for immediate patching or mitigation measures [10]. In response to this critical issue, the vendor released a patched version, 1.0.79 [4], on the same day as the disclosure.
Website administrators using vulnerable versions are strongly urged to upgrade to version 1.0.79 or later to mitigate risks. Immediate actions are recommended [3], including auditing admin users for unauthorized accounts, monitoring logs for unusual activities [3], and blocking known malicious IPs [3]. This incident underscores the necessity for secure default configurations in plugins and highlights the importance of timely updates and proactive security measures within the WordPress ecosystem [9]. Security experts recommend that all users [9], even those with inactive installations [9], update to the patched version to prevent exploitation [9]. Continuous vigilance [5], routine security assessments [5], and adherence to best practices are essential for safeguarding against such vulnerabilities [5].
Conclusion
The discovery of CVE-2025-3102 in the OttoKit plugin underscores the critical need for robust security practices in the WordPress ecosystem. Immediate patching and proactive monitoring are essential to mitigate the risks associated with this vulnerability. This incident highlights the importance of secure default configurations and timely updates to prevent unauthorized access and potential website takeovers. Website administrators must remain vigilant, conduct regular security assessments, and adhere to best practices to protect against future vulnerabilities.
References
[1] https://wmtech.io/hackers-exploit-wordpress-plugin-auth-bypass-hours-after-disclosure/
[2] https://www.heise.de/en/news/Attacks-on-security-leak-in-Wordpress-plug-in-SureTriggers-underway-10351332.html
[3] https://massking.substack.com/p/vulnerability-report-authorization
[4] https://www.bitdefender.com/en-us/blog/hotforsecurity/threat-actors-exploit-high-severity-bypass-vulnerability-in-wordpress-plugin
[5] https://cybercory.com/2025/04/11/100000-wordpress-sites-at-risk-administrative-user-creation-vulnerability-in-suretriggers-plugin-exposes-critical-weakness/
[6] https://www.astrill.com/blog/ottokit-wordpress-plugin-vulnerability-under-active-exploitation/
[7] https://securityonline.info/critical-vulnerabilities-major-cyberattacks-april-7-13-recap/
[8] https://www.infosecurity-magazine.com/news/wordpress-plugin-flaw-exploited-4/
[9] https://thecyberexpress.com/suretriggers-vulnerability/
[10] https://rewterz.com/threat-advisory/wordpress-plugin-authentication-bypass-actively-exploited-after-public-disclosure
