Full Report
A newly disclosed high-severity security flaw impacting OttoKit (formerly SureTriggers) has come under active exploitation within a few hours of public disclosure. The vulnerability, tracked as CVE-2025-3102 (CVSS score: 8.1), is an authorization bypass bug that could permit an attacker to create administrator accounts under certain conditions and take control of susceptible websites. "The
Analysis Summary
# Vulnerability: OttoKit (SureTriggers) WordPress Plugin Unauthenticated Admin Account Creation
## CVE Details
- CVE ID: CVE-2025-3102
- CVSS Score: 8.1 (High)
- CWE: Missing Authorization / Authentication Bypass
## Affected Systems
- Products: OttoKit (formerly SureTriggers) WordPress Plugin
- Versions: All versions up to and including 1.0.78
- Configurations: Exploitable when the plugin is installed and activated but **not configured with an API key**.
## Vulnerability Description
The vulnerability is an authentication bypass flaw present in the `autheticate_user` function within the OttoKit (SureTriggers) WordPress plugin. It stems from a missing check for an empty value associated with the 'secret\_key'. This flaw allows unauthenticated attackers to bypass authentication and create new administrator accounts on affected websites, granting them full control.
## Exploitation
- Status: Exploited in the wild (Active exploitation reported shortly after disclosure)
- Complexity: Low (Unauthenticated remote exploitation possible)
- Attack Vector: Network
## Impact
- Confidentiality: High (Full site control allows access to all data)
- Integrity: High (Attacker can modify files, upload plugins, serve malware/spam)
- Availability: High (Attacker can compromise the site availability)
## Remediation
### Patches
- The issue is addressed in **version 1.0.79** of the OttoKit plugin.
### Workarounds
- While patching is strongly recommended due to active exploitation, a temporary conceptual mitigation would be to fully configure the plugin's API key if immediate patching is impossible, as the vulnerability depends on the plugin being unconfigured. However, **patching is the definitive solution.**
## Detection
- Indicators of Compromise (IOCs): Searching for recently created administrator accounts with anomalous usernames (e.g., "xtw1838783bc" has been noted during initial attacks).
- Detection methods and tools: Monitor WordPress site logs for unusual POST requests targeting the plugin's authentication endpoint. Use security scanners to verify current plugin versions.
## References
- Vendor Advisory (Implicitly via WordPress plugin repository update path): hxxps://wordpress.org/plugins/suretriggers/#developers
- Wordfence Analysis: hxxps://www.wordfence.com/blog/2025/04/100000-wordpress-sites-affected-by-administrative-user-creation-vulnerability-in-suretriggers-wordpress-plugin/
- Patchstack Report: hxxps://patchstack.com/articles/critical-suretriggers-plugin-vulnerability-exploited-within-4-hours