Hackers began taking advantage of a serious authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin just hours after it was publicly disclosed.
The issue, tracked as CVE-2025-3102, affects versions up to 1.0.78 and allows attackers to create unauthorized administrator accounts by sending an empty st_authorization header when no API key is configured.
The plugin, active on over 100,000 websites, enables users to automate tasks across services like WooCommerce and Google Sheets.
Wordfence shared details about the flaw, discovered by researcher 'mikemyers', who received a $1,024 bounty.
Although a fix was issued the same day in version 1.0.79, attackers rapidly began exploiting unpatched sites.
Patchstack confirmed that the first attacks were seen just four hours after the vulnerability was added to its protection database.
Users are urged to update immediately and review their logs for signs of unauthorized changes or suspicious new admin accounts.
Read more...
Logging you in...
Loading IntenseDebate Comments...