A vulnerability in the OttoKit (formely SureTriggers) plugin for WordPress has recently been discovered and could affect over 100,000 active websites.
Researches at Wordfence first found the flaw which allows unauthenticated attackers to create administrator accounts on unconfigured sites. If left unchecked, this vulnerability could lead to full site compromise.
What is SureTriggers and How Does This Vulnerability Work?
OttoKit (formely SureTriggers) is a plugin for WordPress that enables website automation by connecting various platforms and services. It’s a tool designed to simplify processes like syncing data between apps, running marketing automation, and integrating different parts of a website’s ecosystem.
The vulnerability (CVE-2025-3102), discovered on March 13, 2025, allowing attackers to create administrator-level accounts on WordPress sites using SureTriggers when the plugin is left mis- or unconfigured (no API key is set).
The issue lies in a missing validation check for the secret key used in authentication. In cases where the plugin is installed but not officially set up with an API key credentials, an attacker can bypass that authentication entirely, gaining admin access to the website.
While this vulnerability can only be exploited on newly installed, unconfigured instances of the plugin, the risks are significant.
Once an attacker gains admin access to a WordPress site, they can:
- Install malicious files, such as backdoor plugins or compromised themes.
- Modify content on the site, injecting harmful code or spam, or redirecting users to malicious sites.
- Take full control of the site, which could result in data theft, site defacement, or the spread of malware.
Affected Versions
For anyone using SureTriggers without proper configuration, this represents a serious threat. Even if you’re not directly affected now, it’s a good idea to stay informed and check that all your tools are up to date and properly configured.
The vulnerability impacts all versions of the SureTriggers plugin up to and including version 1.0.78. If you’re using an unconfigured version, your site may be at risk. However, sites that have correctly configured the plugin (i.e., set up an API key) are not vulnerable to this flaw.
If you’re unsure whether your site is configured correctly, now is the time to verify the settings. And, if you’re running an older version of the plugin, you’ll need to update it immediately.
Recommendations
Update the Plugin:
The vulnerability was patched in SureTriggers version 1.0.79, which was released on April 3, 2025. If you’re using an older version, update as soon as possible to protect your site.
Properly Configure the Plugin:
If you haven’t already, make sure the plugin is configured with a valid API key. This simple step can prevent attackers from exploiting the vulnerability.
Monitor Your Site & Utilize Security Software:
After updating and configuring the plugin, it’s a good idea to monitor your site for unusual activity. Check for any new administrator accounts or changes to posts and pages.
Also consider using security software at the server or website level. Tools such as Wordfence can check for any available firewall rules or patches to protect against known vulnerabilities. Wordfence Premium users had actually already received a firewall rule on April 1, 2025, to block exploits targeting this issue.
If you are using SureTriggers, update your plugins.
While the vulnerability in SureTriggers affects a specific set of circumstances, the risks associated with it are significant. By updating the plugin and ensuring it’s properly configured, you can protect your site from potential attackers.
Developers for the SureTriggers plugin also acted quick in resolving this vulnerability, releasing a patch within a day of being notified by Wordfence security researchers.
Their prompt response is a reminder of the importance of timely security updates in the fast-moving world of web development.
Stay vigilant and ensure your tools are up to date. With vulnerabilities like this, quick action is key to maintaining a secure online presence.
Leave a Reply