In April 2025, WordPress site owners got a stark reminder of how quickly a plugin flaw can turn into a full site takeover. A critical authentication bypass in the popular OttoKit plugin (formerly SureTriggers) was disclosed, and attackers began exploiting it within hours — forging brand-new administrator accounts on vulnerable sites before many owners had even seen the advisory. Tracked as CVE-2025-3102, the vulnerability affected a plugin installed on more than 100,000 websites. If you use OttoKit or SureTriggers to automate your workflows, this is one you need to understand.
CVE Details
- CVE ID: CVE-2025-3102
- Plugin: OttoKit / SureTriggers – All-in-One Automation Platform
- Vulnerability type: Authorization bypass leading to unauthenticated administrator account creation
- CVSS score: 8.1 (High)
- Affected versions: 1.0.78 and earlier
- Patched version: 1.0.79 (released April 3, 2025)
- Active installations: 100,000+
- Status: Actively exploited in the wild
How the Vulnerability Works
OttoKit (which was named SureTriggers at the time of disclosure) is an automation plugin that connects WordPress to other apps and services — think of it as a way to trigger actions across tools when something happens on your site. To let external services communicate with your site securely, the plugin exposes a REST API endpoint that expects an authorization token.
The problem lived in the plugin’s authenticate_user() function, which was responsible for checking whether an incoming request was allowed. That function compared the secret key sent in the request’s st_authorization HTTP header against the API key stored on the site. The critical mistake: it never checked whether that stored key was actually empty.
Here is the dangerous scenario. When the plugin is installed and activated but has not yet been connected to an OttoKit/SureTriggers account, no API key is configured — the stored value is empty. An attacker who sends a request with an empty st_authorization header causes the check to compare “empty” against “empty,” which passes. The plugin treats the request as authenticated, and the run_action() function tied to that endpoint executes privileged actions — including creating a new user with administrator rights.
To exploit it, an attacker needs no credentials at all. They only need to find a site running a vulnerable version of the plugin in the unconfigured state, then send a single crafted request. That narrow condition — installed but not yet set up — is exactly the window many site owners leave open right after installing a new plugin.
Real-World Impact
An unauthenticated attacker who can create an administrator account effectively owns your website. From that account, they can do anything a legitimate admin can: install malicious plugins and themes, inject spam or malware into your pages, redirect your visitors to scam sites, harvest customer data, add backdoors that survive a plugin update, or lock you out of your own dashboard entirely.
This was not theoretical. Security firm Patchstack reported that attacks began within hours of public disclosure. Attackers were observed creating rogue admin accounts with randomized usernames, passwords, and email addresses — one early example used the username “xtw1838783bc” — and randomizing those values on each attempt to evade simple detection. For an e-commerce store or a business site, that kind of silent takeover can mean stolen customer information, damaged search rankings, and a cleanup bill far larger than the cost of staying patched.
How to Check If You’re Affected
Work through these checks on your site:
- In your WordPress dashboard, go to Plugins > Installed Plugins and look for “OttoKit” or “SureTriggers – All-in-One Automation Platform.”
- Check the version number listed under the plugin name. If it is 1.0.78 or lower, the site is vulnerable and needs to be updated immediately.
- You are at greatest risk if the plugin is installed and active but was never connected to an OttoKit/SureTriggers account with an API key — that unconfigured state is the exploitable condition.
- Review your user list under Users > All Users and filter by the Administrator role. Look for any accounts you don’t recognize, especially ones with random-looking usernames or unfamiliar email addresses.
- Check for recently added admin users and unexpected plugins or themes you didn’t install — these are common signs of a completed takeover.
How to Fix It
The core fix is simple and should be done right away:
- Update the plugin to version 1.0.79 or later. Go to Plugins > Installed Plugins, and if an update is available for OttoKit/SureTriggers, apply it. Version 1.0.79 adds the missing empty-value check that closes the bypass.
- Enable auto-updates for this plugin so future security patches install automatically.
- If you’re not using the plugin, deactivate and delete it. An unconfigured, unused automation plugin is pure risk with no benefit.
If your site may already have been compromised, patching alone is not enough — a backdoor created before the update will still be there. Additional hardening and cleanup steps:
- Delete any administrator accounts you don’t recognize, then reset passwords for all legitimate admin users.
- Rotate your security salts and keys in
wp-config.phpto force everyone to log back in and invalidate hijacked sessions. - Scan the site with a reputable malware scanner and review recently modified files, installed plugins, and scheduled tasks (WP-Cron) for anything unexpected.
- Review your server and access logs for suspicious REST API requests around the time of the disclosure.
- Consider a firewall or security plugin that virtually patches known vulnerabilities, giving you a safety net during the gap between disclosure and update.
Takeaway
CVE-2025-3102 is a textbook example of how a small logic oversight — forgetting to check for an empty value — can hand attackers the keys to an entire website. It also highlights a subtle risk that’s easy to overlook: freshly installed but unconfigured plugins can be just as dangerous as neglected ones. The defenses are the same fundamentals that protect against nearly every plugin vulnerability: keep everything updated, enable auto-updates where you can, remove plugins you don’t use, and audit your administrator accounts regularly. When exploitation starts within hours of disclosure, the sites that stay safe are the ones that were already keeping good security hygiene — not the ones scrambling to react.