Hackers exploit authentication bypass bug in OttoKit WordPress plugin

📟 News

Date: 15/04/2025

Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just hours after the bug disclosure.

The OttoKit plugin enables users to connect plugins and external tools (e.g. WooCommerce, Mailchimp, and Google Sheets), automate tasks (e.g. sending emails and adding users), or update CRMs without code.

Wordfence published details of the authentication bypass vulnerability in OttoKit at the end of last week. The bug identified as CVE-2025-3102 (CVSS score 8.1) affects all versions of SureTriggers/OttoKit up to 1.0.78.

According to BleepingComputer, the vulnerability originates from a missing empty value check in the authenticate_user() function, which handles REST API authentication. Its exploitation becomes possible if the plugin isn’t configured with an API key, and the stored secret_key remains empty.

To exploit this bug, an attacker sends an empty st_authorization header to pass the check and gain unauthorized access to protected API endpoints. In fact, CVE-2025-3102 enables attackers to create new administrator accounts without authentication.

Experts urge users to upgrade to the latest version of OttoKit/SureTriggers (1.0.79) released in early April as soon as possible.

WordPress Patchstack analysts detected attacks exploiting CVE-2025-3102 as early as a few hours after its disclosure. According to experts, hackers exploiting this bug attempt to create new administrator accounts using random combinations of usernames, passwords, and email addresses (which indicates that such attacks are automated).

Related posts:
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider

Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…

Full article →
2025.01.29 — Google to disable Sync in older Chrome versions

Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…

Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks

Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…

Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin

Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…

Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer

Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…

Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic

Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…

Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign

According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…

Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage

According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…

Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti

A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…

Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers

Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…

Full article →