Threat actors are actively exploiting a vulnerability in the OttoKit WordPress plugin, with many websites potentially exposed to complete compromise, WordPress security firm Defiant warns.
Formerly named SureTriggers, ‘OttoKit: All-in-One Automation Platform’ is a plugin that enables website administrators to automate tasks, and connect applications, websites, and WordPress plugins.
The plugin has more than 100,000 active installations, putting all websites that use it at risk of takeover due to a high-severity authentication bypass that could allow attackers to create new administrator accounts.
Tracked as CVE-2025-3102 (CVSS score of 8.1), the issue exists due to a missing empty value check in a function that performs permission verifications.
Because the function only compares the secret key in the header with the one in the plugin’s database, an attacker can specify an empty value for the secret key and, if the plugin has not been configured, it will match the empty key value in the database.
This allows the attacker to access the REST API endpoint that handles different actions and perform various operations, including creating a new administrative account. This would provide the attacker with complete control of the affected site.
“[The attacker could] then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content,” Defiant says.
However, the security defect can only be exploited if the plugin has been installed and activated, but not configured with an API key, meaning that only new and unconfigured installations are susceptible to attacks.
“While over 100,000 sites have this plugin installed and contain the vulnerability, only a small subset of sites will actually be exploitable. This is due to the nature of the vulnerability which requires the plugin to be in a non-configured state for exploitation,” Defiant explains.
However, the cybersecurity firm also warns that the vulnerability has been exploited in the wild, urging the plugin’s users to update to OttoKit version 1.0.79 or later, which contain patches for the bug.
Defiant reported the issue to the plugin’s developer on April 3 and a fix was released on the same day. According to the security firm, the researcher who discovered the flaw was awarded a $1,024 bug bounty reward.
Related: Threat Actors Deploy WordPress Malware in ‘mu-plugins’ Directory
Related: 8,000 New WordPress Vulnerabilities Reported in 2024
Related: Hunk Companion, WP Query Console Vulnerabilities Chained to Hack WordPress Sites
Related: Critical Vulnerabilities Found in Anti-Spam Plugin Used by 200,000 WordPress Sites
