Hackers exploit authentication bypass bug in OttoKit WordPress plugin

📟 News

Date: 15/04/2025

Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just hours after the bug disclosure.

The OttoKit plugin enables users to connect plugins and external tools (e.g. WooCommerce, Mailchimp, and Google Sheets), automate tasks (e.g. sending emails and adding users), or update CRMs without code.

Wordfence published details of the authentication bypass vulnerability in OttoKit at the end of last week. The bug identified as CVE-2025-3102 (CVSS score 8.1) affects all versions of SureTriggers/OttoKit up to 1.0.78.

According to BleepingComputer, the vulnerability originates from a missing empty value check in the authenticate_user() function, which handles REST API authentication. Its exploitation becomes possible if the plugin isn’t configured with an API key, and the stored secret_key remains empty.

To exploit this bug, an attacker sends an empty st_authorization header to pass the check and gain unauthorized access to protected API endpoints. In fact, CVE-2025-3102 enables attackers to create new administrator accounts without authentication.

Experts urge users to upgrade to the latest version of OttoKit/SureTriggers (1.0.79) released in early April as soon as possible.

WordPress Patchstack analysts detected attacks exploiting CVE-2025-3102 as early as a few hours after its disclosure. According to experts, hackers exploiting this bug attempt to create new administrator accounts using random combinations of usernames, passwords, and email addresses (which indicates that such attacks are automated).

Related posts:
2025.04.08 — Website of Everest ransomware group hacked and defaced

Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…

Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains

watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…

Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic

Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…

Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims

According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…

Full article →
2025.04.16 — Android devices will restart every three days to protect user data

Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…

Full article →
2025.03.16 — Researchers force DeepSeek to write malware

According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…

Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management

Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…

Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin

Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…

Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024

According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…

Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…

Full article →