Critical OttoKit Vulnerability Exploited: Hackers Gain Admin Control of WordPress Sites
Do Son 
Hackers have begun exploiting a critical vulnerability in the widely used WordPress plugin OttoKit (formerly known as SureTriggers) just hours after it was publicly disclosed. The flaw allows attackers to bypass authentication and gain full administrative control over affected websites.
OttoKit enables users to automate actions on WordPress sites without writing code—linking plugins and third-party services such as WooCommerce, Mailchimp, and Google Sheets, sending emails, creating users, or updating CRM systems. According to statistics, the plugin is active on over 100,000 websites.
The vulnerability, tracked as CVE-2025-3102, affects all versions of OttoKit and SureTriggers up to and including 1.0.78. It was discovered by security researchers at Wordfence following a report from a researcher using the alias mikemyers, who received a $1,024 bounty for the disclosure. The vendor responded swiftly, releasing version 1.0.79 with a patch on April 3.
The core flaw lies in the authenticate_user() function, which handles access control via the REST API. In cases where no API key is provided, the plugin sets the secret_key to an empty value—without validating for its emptiness in the vulnerable code. This allowed attackers to simply send a st_authorization header with an empty value and successfully bypass authentication.
As a result, attackers could access protected API endpoints, create new administrator accounts, and fully compromise the site. Worse still, the process is easily automated. According to Patchstack, exploitation began within just four hours of the vulnerability being added to their public vulnerability database.
Researchers note that the attacks involve the creation of new administrator accounts with randomized usernames, passwords, and email addresses—strongly indicating automated campaigns likely powered by scripts or bots.
Users are urgently advised to upgrade to version 1.0.79 as soon as possible. In addition, administrators should manually inspect activity logs for suspicious behavior, including the creation of new accounts, installation of unknown themes or plugins, modifications to security settings, or unexpected database access events.
This incident underscores the critical importance of applying security patches immediately after vulnerabilities are disclosed—delays of even a few hours can have dire consequences.
