The newly disclosed sensitive security flaws affecting Ottokit (formerly Suretriggers) have undergone active exploitation within hours of public disclosure.
The vulnerability tracked as CVE-2025-3102 (CVSS score: 8.1) is a permission vigable that allows an attacker to create an administrator account under certain conditions and allow control of sensitive websites.
“Suretriggers: All-in-one automation platform plugin for WordPress is vulnerable to authentication bypass, leading to the creation of administrative accounts, and the empty value check for the “Secret_key” value of all versions of the “autheticate_user” function is missing, saying “Wordfence’s Istvánnton said” at 1.0.78.
“This allows you to create an administrator account on the target website at the target website when the plugin is installed and activated but not configured with an API key.”
The successful exploitation of the vulnerability allows attackers to take full control of WordPress sites, take advantage of unauthorized access to upload any plugins, make malicious fixes that provide malware and spam, and redirect site visitors to other sketchy websites.
Security researcher Michael Mazzolini (aka Mikemyers) is acknowledged to have discovered and reported the defect on March 13, 2025. This issue is addressed in version 1.0.79 of the plugin released on April 3, 2025.
Ottokit provides the ability for WordPress users to connect various apps and plugins via workflows that can be used to automate repetitive tasks.
Although the plugin has over 100,000 active installations, we note that only a subset of websites are actually exploitable, as the plugin relies on it to be in a non-configured state despite it being installed and activated.
That said, attackers have already jumped into the exploitation bandwagon, trying to quickly utilize disclosures to create fake administrator accounts named “XTW1838783BC” per patch stack.
“Because it’s randomized, it’s very likely that we’ll assume that username, password and email aliases will be different for each attempt to exploit,” the WordPress security company said.
The attack attempt came from two different IP addresses –
2A01:E5C0:3167 ::2 (IPv6) 89.169.15.201 (IPv4)
In light of aggressive exploitation, owners of plug-ins relying on WordPress sites are advised to apply updates as soon as possible for optimal protection, check for suspicious admin accounts, and remove them.
Source link
