CVE-2025-3102

Name of the Vulnerable Software and Affected Versions OttoKit (formerly SureTriggers) versions 1.0.0 through 1.0.78

Description The vulnerability is related to an authentication bypass issue in the OttoKit WordPress plugin, which allows unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key. This is due to a missing empty value check on the secret key value in the autheticate user function. The issue has been actively exploited, with over 100,000 WordPress sites potentially at risk. Attackers can create admin accounts and fully take over vulnerable sites.

Recommendations For versions 1.0.0 through 1.0.78, update to version 1.0.79 immediately to prevent unauthorized access. As a temporary workaround, consider disabling the autheticate user function until a patch is available. Restrict access to the REST API endpoints to minimize the risk of exploitation. Check admin users and remove any suspicious accounts.