Description
A high-severity authentication bypass vulnerability (CVE-2025-3102) in the OttoKit WordPress plugin (formerly known as SureTriggers) has come under active exploitation mere hours after public disclosure. The OttoKit plugin, which allows seamless automation across plugins and external tools like WooCommerce, Mailchimp, and Google Sheets, is currently installed on over 100,000 websites. The vulnerability affects all versions of the plugin up to 1.0.78, allowing attackers to bypass authentication and gain administrative privileges. The vendor released a patched version, 1.0.79, on April 3, 2025. Site owners are urged to upgrade immediately.
Attack Details
The vulnerability identified as CVE-2025-3102 affects the OttoKit plugin (formerly SureTriggers) in versions 1.0.78, with a patch issued in version 1.0.79. Disclosed on April 9, 2025, the flaw was actively exploited within just four hours. It stems from a missing check for empty values in the authenticate_user() function, which handles REST API authentication. If the plugin is not configured with an API key, the secret_key remains empty, allowing attackers to bypass authentication by sending a REST API request with an empty st_authorization header. This can lead to severe consequences including the creation of unauthorized administrator accounts, full site takeover, manipulation of site content and settings, installation of malicious plugins or themes, and exfiltration or destruction of data.
Remediation
Immediate Plugin Update:
Audit and Cleanup:
Hardening Measures:
Report and Communicate:
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: OttoKit WordPress Plugin Auth Bypass Vulnerability Exploited Within Hours
References