Hackers exploit authentication bypass bug in OttoKit WordPress plugin

📟 News

Date: 15/04/2025

Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just hours after the bug disclosure.

The OttoKit plugin enables users to connect plugins and external tools (e.g. WooCommerce, Mailchimp, and Google Sheets), automate tasks (e.g. sending emails and adding users), or update CRMs without code.

Wordfence published details of the authentication bypass vulnerability in OttoKit at the end of last week. The bug identified as CVE-2025-3102 (CVSS score 8.1) affects all versions of SureTriggers/OttoKit up to 1.0.78.

According to BleepingComputer, the vulnerability originates from a missing empty value check in the authenticate_user() function, which handles REST API authentication. Its exploitation becomes possible if the plugin isn’t configured with an API key, and the stored secret_key remains empty.

To exploit this bug, an attacker sends an empty st_authorization header to pass the check and gain unauthorized access to protected API endpoints. In fact, CVE-2025-3102 enables attackers to create new administrator accounts without authentication.

Experts urge users to upgrade to the latest version of OttoKit/SureTriggers (1.0.79) released in early April as soon as possible.

WordPress Patchstack analysts detected attacks exploiting CVE-2025-3102 as early as a few hours after its disclosure. According to experts, hackers exploiting this bug attempt to create new administrator accounts using random combinations of usernames, passwords, and email addresses (which indicates that such attacks are automated).

Related posts:
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks

Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…

Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices

The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…

Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems

The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…

Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework

According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…

Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates

The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…

Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters

According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud

Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…

Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members

The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…

Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers

Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…

Full article →