Table of Contents
April 12, 2025
|3m
OttoKit WordPress Plugin Zero-Day Exploited to Create Rogue Admin Accounts
A critical security vulnerability in the OttoKit WordPress plugin, formerly known as SureTriggers, is being actively exploited, mere hours after its public disclosure. The flaw allows attackers to create unauthorized administrator accounts, potentially granting them complete control over vulnerable websites.
The vulnerability, designated CVE-2025-3102 and given a CVSS score of 8.1, stems from an authorization bypass within the plugin. According to Wordfence, the vulnerability resides in the autheticate_user function where a missing check on the 'secret_key' value enables unauthenticated attackers to create admin accounts when the plugin is installed and activated but hasn't been configured with an API key.
István Márton of Wordfence explained that the vulnerability, found in versions up to and including 1.0.78, allows attackers to create administrator accounts if the plugin is installed and activated without initial API key configuration.
Successful exploitation could lead to severe consequences. Attackers could leverage their newfound administrative privileges to:
Upload malicious plugins.
Modify website content to distribute malware or spam.
Redirect visitors to malicious websites.
Security researcher Michael Mazzolini discovered and reported the vulnerability on March 13, 2025. A patch was released in version 1.0.79 of the plugin on April 3, 2025.
OttoKit is a popular plugin used to automate tasks by connecting various apps and plugins through workflows. While boasting over 100,000 active installations, the vulnerability only impacts sites where the plugin is installed and activated but remains unconfigured.
Despite this limitation, attackers are actively attempting to exploit the flaw. Patchstack reports that malicious actors are creating rogue administrator accounts with the username "xtw1838783bc." The security firm suggests that usernames, passwords, and email aliases used in these attacks are likely randomized for each exploitation attempt.
These attacks have been traced back to two distinct IP addresses: 2a01:e5c0:3167::2 (IPv6) and 89.169.15.201 (IPv4).
Given the active exploitation, WordPress site owners using the OttoKit plugin are strongly urged to:
Update to version 1.0.79 immediately.
Check for any suspicious administrator accounts.
Remove any unauthorized accounts.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles: Here are the 5 most contextually relevant blog posts:
Anthony Denis
Anthony Denis a Security News Reporter with a Bachelor's in Business Computer Application. Drawing from a decade of digital media marketing experience and two years of freelance writing, he brings technical expertise to cybersecurity journalism. His background in IT, content creation, and social media management enables him to deliver complex security topics with clarity and insight.
