Hackers have begun actively exploiting a high-severity vulnerability in the OttoKit WordPress plugin (formerly known as SureTriggers), just hours after it was publicly disclosed.
The flaw, identified as CVE-2025-3102, allows attackers to bypass authentication and potentially take full control of affected websites.
OttoKit is used by over 100,000 websites to connect plugins and external tools like WooCommerce, Mailchimp, and Google Sheets for task automation. The vulnerability affects all plugin versions up to 1.0.78, and users are strongly urged to update to version 1.0.79 immediately, which was released at the start of April.
The issue lies in the authenticate_user() function, which handles REST API authentication. If the plugin isn’t set up with an API key, a missing check allows attackers to send an empty st_authorization header and gain unauthorized access to protected endpoints. This means attackers could create new admin accounts without needing credentials, opening the door to a complete site takeover.
The vulnerability was discovered by security researcher mikemyers, who earned a $1,024 bug bounty. Although the vendor patched the issue on April 3, attackers began exploiting it within just four hours of its public disclosure, according to WordPress security firm Patchstack.
If you’re using OttoKit or SureTriggers, take action now:
- Update to version 1.0.79 immediately.
- Check your site logs for suspicious activity — especially unknown admin accounts, plugin installations, or changes in security settings.
