The OttoKit plugin enables users to connect plugins and external tools (e.g. WooCommerce, Mailchimp, and Google Sheets), automate tasks (e.g. sending emails and adding users), or update CRMs without code.
Wordfence published details of the authentication bypass vulnerability in OttoKit at the end of last week. The bug identified as CVE-2025-3102 (CVSS score 8.1) affects all versions of SureTriggers/OttoKit up to 1.0.78.
According to BleepingComputer, the vulnerability originates from a missing empty value check in the authenticate_user( function, which handles REST API authentication. Its exploitation becomes possible if the plugin isn’t configured with an API key, and the stored secret_key remains empty.
To exploit this bug, an attacker sends an empty st_authorization header to pass the check and gain unauthorized access to protected API endpoints. In fact, CVE-2025-3102 enables attackers to create new administrator accounts without authentication.
Experts urge users to upgrade to the latest version of OttoKit/SureTriggers (1.0.79) released in early April as soon as possible.
WordPress Patchstack analysts detected attacks exploiting CVE-2025-3102 as early as a few hours after its disclosure. According to experts, hackers exploiting this bug attempt to create new administrator accounts using random combinations of usernames, passwords, and email addresses (which indicates that such attacks are automated).
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →