OttoKit WordPress Plugin Vulnerability Under Active Exploitation: Admin Accounts at Risk

A serious security flaw in the OttoKit WordPress plugin, formerly known as SureTriggers, is being actively exploited, putting thousands of websites at risk of total compromise.

Disclosed publicly just hours ago, the vulnerability, CVE-2025-3102 (CVSS 8.1), allows unauthorized attackers to bypass authentication and create admin-level user accounts on vulnerable websites. The flaw affects versions up to and including 1.0.78, and is only exploitable under specific conditions, but attackers aren’t wasting time.

Admin Account Creation Without Authentication

Security researchers at Wordfence identified the core of the vulnerability in a function named autheticate_user. A missing check on the secret_key parameter allowed attackers to pass an empty value, tricking the plugin into granting admin privileges.

“This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key,”

said István Márton, security researcher at Wordfence.

The vulnerability was discovered by researcher Michael Mazzolini (aka mikemyers) and reported on March 13, 2025. OttoKit issued a fix nearly three weeks later with version 1.0.79, released on April 3, 2025.

Exploitation Happening Now

What’s especially alarming is the speed at which threat actors began exploiting the bug. According to cybersecurity firm Patchstack, malicious users have already begun creating fake administrator accounts. One of the usernames seen in the wild is “xtw1838783bc”, though attackers are reportedly randomizing usernames, passwords, and email aliases in each attempt.

Attack traffic has been traced to the following IP addresses:

• IPv6: 2a01:e5c0:3167::2
• IPv4: 89.169.15.201

These unauthorized accounts can be used to upload malicious plugins, inject malware, redirect site visitors, or even turn compromised sites into part of phishing or spam campaigns.

Plugin Popularity Heightens the Risk

OttoKit is active on over 100,000 WordPress websites, offering powerful automation features through app and plugin integrations. Fortunately, only a subset of those sites are vulnerable, specifically those where the plugin is installed and activated but hasn’t yet been configured with an API key.

Still, that hasn’t stopped attackers from scanning for eligible targets.

What Site Owners Should Do

Website administrators using OttoKit should take immediate action:

• Update the plugin to version 1.0.79 or later.

• Audit admin accounts for suspicious usernames or recently added users.

• Verify that the plugin configuration includes a valid API key to prevent future abuse.

While OttoKit has patched the flaw, the window for exploitation remains open for any unpatched sites. As always, staying current with plugin updates and monitoring admin activity are essential to maintaining WordPress site security.