Pierluigi Paganini
April 12, 2025
Threat actors are exploiting a recently discovered vulnerability, tracked as CVE-2025-3102 (CVSS score of 8.1) in the OttoKit WordPress plugin (formerly SureTriggers), a few hours after public disclosure.
An attacker can trigger the vulnerability to create malicious administrator users when the plugin is not configured with an API key. Exploiting the flaw lets attackers fully take over a WordPress site, upload malicious plugins, alter content, serve malware or spam, and redirect visitors to malicious websites.
“The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the ‘secret_key’ value in the ‘autheticate_user’ function in all versions up to, and including, 1.0.78.” reads the advisory. “This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.”
Wordfence researchers state that over 100,000 sites use the vulnerable plugin, but only a subset is exploitable, as the flaw requires the plugin to be unconfigured. The WordPress cybersecurity firm warns that the flaw is actively exploited, so immediate updates are strongly advised.
“The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the ‘secret_key’ value in the ‘autheticate_user’ function in all versions up to, and including, 1.0.78.” states Wordfence. “This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.”
The WordPress plugin lets users automate actions across sites and apps, but an incomplete permission check in its code can allow attackers to exploit unconfigured sites. If the plugin’s secret key is unset and an attacker sends an empty key, they can bypass authentication and create an admin account. This enables full site takeover. While the flaw mainly affects new or unconfigured setups, it could be chained with other vulnerabilities for wider exploitation.
The researcher Michael Mazzolini discovered the vulnerability on March 13, 2025. The flaw has been addressed with the release of version 1.0.79 on April 3, 2025.
PatchStack researchers confirmed that the flaw is under active exploitation.
Attackers are attempting to exploit the flaw to create administrator accounts with the name “xtw1838783bc”.
“In the exploitation attempts we have seen attackers tried creating user accounts with the following details:”
“Since it is randomized, it is highly likely to assume that username, password and email alias will be different for each exploitation attempt. It is recommended to update your site as soon as possible if you are running the SureTriggers plugin to the latest version and look for all the IOCs in your system like created accounts, recently installed plugins/themes or overall modified content.” states PatchStack.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, OttoKit WordPRess Plugin)
