A serious security flaw in the OttoKit WordPress plugin—formerly known as SureTriggers—is being actively exploited by attackers, putting thousands of websites at risk of full takeover.
OttoKit, an all-in-one automation platform for WordPress, is used by over 100,000 websites to streamline workflows and connect apps, plugins, and external services. But a recently discovered vulnerability tracked as CVE-2025-3102 (with a CVSS score of 8.1) has exposed unconfigured plugin installations to authentication bypass attacks. If left unpatched, this flaw could let cybercriminals create admin accounts and gain unrestricted access to the affected websites.
Exploitation Could Lead to Complete Site Takeover
According to security researchers at Defiant, attackers are taking advantage of a missing check in the plugin’s authentication function. When OttoKit is installed but not configured with an API key, the plugin still stores a blank key in its database. This opens the door for threat actors to send API requests with an empty secret key—matching the stored empty value—and bypass permission controls.
Once inside, hackers can execute commands through the plugin’s REST API, allowing them to create administrator accounts, upload malicious themes and plugins, and inject spam or redirect users to dangerous websites. Essentially, attackers gain the same level of control as legitimate admins.
“This level of access allows attackers to tamper with site content, install backdoors, or manipulate themes and plugins to further infect the site or its visitors,” Defiant explained.
Who Is Affected?
While the plugin is installed on over 100,000 WordPress websites, only a smaller subset is actually vulnerable. The exploit works only when the plugin has been installed and activated but not configured with a valid API key. This makes newly installed instances particularly susceptible.
However, with active exploitation already confirmed, Defiant warns that site owners should not take chances—even if they think their configuration is secure.
Patch Released: Immediate Update Recommended
The vulnerability was reported to OttoKit’s development team on April 3, and a patch was swiftly released the same day in version 1.0.79. Website administrators using OttoKit are strongly urged to update to version 1.0.79 or newer to eliminate the risk of exploitation.
The researcher who discovered the flaw has been awarded a $1,024 bug bounty, underscoring the seriousness of the issue.
