OttoKit Meltdown: WordPress Sites Vulnerable to Hilarious Hijack!

OttoKit WordPress plugin users, beware! A vulnerability is allowing attackers to create new admin accounts, putting your site at risk. The bug, CVE-2025-3102, is due to a missing empty value check. Update to version 1.0.79 or later to stay safe, because nobody wants their site hijacked by a cyber prankster!

3P
Published: April 11, 2025 12:16 pmAdded: April 11, 2025 at 5:52 amAssembled by: The Editor
Pro Dashboard

Hot Take:

OttoKit: the automation tool that automates your website’s demise, now with a free administrator account for hackers! Who needs complicated setup procedures when leaving it unconfigured does the trick? Now, that’s some seriously effortless automation!

Key Points:

  • OttoKit, formerly SureTriggers, is a WordPress plugin with a severe authentication bypass vulnerability.
  • The vulnerability, CVE-2025-3102, allows attackers to create new administrator accounts.
  • This flaw can be exploited if the plugin is installed and activated but not configured with an API key.
  • Defiant has urged users to update to OttoKit version 1.0.79 or later to patch the vulnerability.
  • The researcher who identified the bug received a $1,024 bounty for their discovery.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?