X-Industry

OttoKit WordPress Vulnerability

Posted by Jim McKee on April 18, 2025 at 12:00pm

13536586278?profile=RESIZE_400xA newly disclosed high-severity security flaw impacting OttoKit (formerly SureTriggers) was actively exploited within a few hours of public disclosure. The vulnerability, tracked as CVE-2025-3102 (CVSS score: 8.1), is an authorization bypass bug that could permit an attacker to create administrator accounts under certain conditions and take control of susceptible websites.

"The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'authenticate_user' function in all versions up to, and including, 1.0.78," Wordfence's István Márton said. "This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key."

Successful exploitation of a vulnerability could permit an attacker to gain complete control over a WordPress site and leverage the unauthorized access to upload arbitrary plugins, make malicious modifications to serve malware or spam, and even redirect site visitors to other sketchy websites. Security researcher Michael Mazzolini (aka mikemyers) has been credited with discovering and reporting the flaw on 13 March 2025. The issue has been addressed in version 1.0.79 of the plugin released on 03 April 2025.

OttoKit allows WordPress users to connect different apps and plugins through workflows that can automate repetitive tasks. While the plugin has over 100,000 active installations, it bears noting that only a subset of websites are actually exploitable because it hinges on the plugin being in a non-configured state despite being installed and activated.

The attackers have noticed the problem and are quickly capitalizing on the disclosure to create bogus administrator accounts named "xtw1838783bc," per Patchstack. "Since it is randomized, it is highly likely to assume that username, password, and email alias will differ for each exploitation attempt," the WordPress security company said.

The attack attempts have originated from two different IP addresses -
• 2a01:e5c0:3167::2 (IPv6)
• 89.169.15.201 (IPv4)

Considering active exploitation, WordPress site owners relying on the plugin are advised to apply the updates as soon as possible for optimal protection, check for suspicious admin accounts, and remove them.

This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122

[1] https://thehackernews.com/2025/04/ottokit-wordpress-plugin-admin-creation.html

© 2025 Red Sky Alliance Corporation. All rights reserved.

Views: 13
Tags: tr-25-103-001, cve-2025-3102, suretriggers, xtw1838783bc, patchstack
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!