Skip to content

WordPress plugin with over 100,000 installations under active exploitation

  • by
  • 3 min read

A newly discovered security vulnerability affecting the OttoKit WordPress plugin (previously known as SureTriggers) was actively exploited within hours of public disclosure. The flaw was reported to the plugin’s developer on March 13, 2025, and was patched in the plugin’s version 1.0.79 update, released on April 3, 2025.

The bug itself is tracked as CVE-2025-3102 and has a score of 8.1 out of 10 on the CVSS scale. It’s an authorisation bypass bug that allows a hacker to create admin accounts and take over vulnerable websites under specific conditions. Specifically, due to a missing empty value check on a “secret_key” value in the “authenticate_user” function, unauthenticated attackers can create admin accounts on a website where the plugin is installed and activated but hasn’t been configured with an API key. All versions up to and including 1.0.78 are vulnerable to the bug.

While the plugin has over 100,000 active installations, according to WordPress security firm WordFence’s report, the number only represents a small set of exploitable installations. This is because of the vulnerability, which requires the plugin to be installed and activated but in a non-configured state. Regardless, this is a serious security issue for any site using the plugin, and admins are advised to update the plugin as soon as possible.

This is an image of cyber security hacked breach

Security firm Patchstack has observed attackers attempting to exploit the vulnerability by creating fake admin accounts under the name “xtw1838783bc.” The name seems randomised, suggesting that the threat actors use a script to automate the account creation process. It’s also highly likely that the username, password, and email alias will be different for each exploitation attempt, according to the company’s report.

Currently, attack attempts have originated from two distinct IPv6 and IPv4 addresses, respectively:

  • IPv6: 2a01:e5c0:3167::2
  • IPv4: 89.169.15.201

The best course of action for any website using the plugin is to update to version 1.0.79 immediately. If updating the plugin right away isn’t possible, admins are advised to deactivate or uninstall the plugin on their website. Configuring the plugin can also serve as a workaround, but it still leaves a vulnerable plugin version installed on the website that might get exploited further as threat actors discover more about the vulnerability and develop more advanced attack vectors.

In the News: Microsoft 365 Family users denied service due to licensing glitch

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

What is a hack? 9 different types of hackers you must know about

SpyNote malware targets users through fake android apps

This is an image of meta fb oculus workspace whatsapp messenger instagram

Ex-employee reveals Meta offered US user data to enter China

This is an image of microsoft featured 13211

Microsoft 365 Family users denied service due to licensing glitch

  • by
  • In News
This is an image of surveillance security privacy 89892

Pharmacist sued for spying on female cowokers via webcams

This is an image of adobe featured 2824r0

Adobe patches over 30 vulnerabilities in its software suite, 11 critical

This is an image of dark web hacker security

Over 5,000 Ivanti VPN appliances still at risk after patches

>