Analysis of OttoKit WordPress Plugin Vulnerability

Today, April 11, 2025, at 01:22 PM PDT, The Birdling 's 14th Command Team received intelligence that the vulnerability in the OttoKit WordPress plugin, previously known as SureTriggers, is still under active exploitation. OttoKit, with over 100,000 active installations, is an all-in-one automation platform enabling website administrators to connect applications, websites, and WordPress plugins, automating tasks without coding. The vulnerability, tracked as CVE-2025-3102, is an authentication bypass flaw that allows attackers to create new administrator accounts, potentially leading to complete website takeover. This article provides a detailed analysis of the vulnerability, its technical aspects, exploitation methods, and recommendations for mitigation, based on intelligence from reports.

WordPress powers approximately 43% of all websites globally, making it a prime target for cybercriminals. Plugins like OttoKit enhance functionality, with OttoKit specifically designed for workflow automation, connecting tools like WooCommerce, Mailchimp, and Google Sheets. With over 100,000 active installations, its popularity amplifies the impact of vulnerabilities.

CVE-2025-3102, disclosed on April 10, 2025, by Wordfence, has a CVSS score of 8.1, indicating high severity. It affects all versions of OttoKit up to and including 1.0.78, with the patch released in version 1.0.79 on April 3, 2025, following responsible disclosure on March 13, 2025.

The vulnerability is an authentication bypass due to a missing empty value check in the 'authenticate_user' function, which handles REST API authentication. Specifically, if the plugin is installed and activated but not configured with an API key, the 'secret_key' value remains empty. This allows attackers to send an empty 'st_authorization' header, bypassing authentication and accessing protected API endpoints, including those for user management.

The exploit process involves:

1. Identifying vulnerable websites using OttoKit versions up to 1.0.78.
2. Sending a crafted HTTP request with an empty 'st_authorization' header to the REST API endpoint.
3. Creating new administrator accounts with randomized usernames, passwords, and email addresses, indicating automated exploitation.

This flaw enables attackers to gain full control, potentially installing backdoors, defacing sites, or launching phishing campaigns.

• March 13, 2025: Vulnerability reported to the developer.
• April 3, 2025: Patch released in version 1.0.79, fixing the vulnerability.
• April 10, 2025: Public disclosure by Wordfence, with exploitation attempts observed within hours.
• April 11, 2025: Ongoing reports of active exploitation.

Security firms like The Birdling, Patchstack and Defiant have confirmed active exploitation, with the first attempts logged just four hours after public disclosure. Attackers are using automated scripts to scan for vulnerable websites, creating new admin accounts with randomized credentials, a sign of task automation.

While specific threat actors have not been identified, the nature of the attacks suggests opportunistic cybercriminals targeting WordPress sites for easy gains. Given the plugin’s popularity, it could attract groups like the Balada Injector campaign, known for exploiting WordPress vulnerabilities to inject malicious code, though their focus is typically on SEO poisoning rather than admin creation.

• Given the short window between disclosure and exploitation, attackers likely used existing vulnerability scanners to identify targets, exploiting the plugin’s widespread use.
• This could be part of a broader campaign targeting WordPress ecosystems, similar to the 2024 WP Automatic plugin vulnerability, exploited within days.

To protect against CVE-2025-3102, WordPress administrators should: