OttoKit WordPress Plugin Flaw: Hackers Throw a Party While You Panic!

Threat actors are having a field day exploiting the OttoKit WordPress plugin flaw mere hours after it was disclosed. With a CVSS score of 8.1, this vulnerability allows attackers to take over sites by creating admin accounts. If your site isn’t updated, it might be the hackers doing the “SureTriggers” happy dance.

3P
Published: April 12, 2025 11:28 amAdded: April 12, 2025 at 4:51 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Who knew that the real “SureTrigger” was a hacker’s delight? OttoKit, or should we say “Oh-no-Kit,” has become the latest buffet for cyber attackers. It’s like a digital version of leaving your front door wide open with a sign saying “free admin accounts inside”—and the hackers are lining up faster than a Black Friday sale!

Key Points:

  • A vulnerability in the OttoKit WordPress plugin (formerly SureTriggers) is being actively exploited.
  • The flaw allows attackers to create malicious administrator accounts on unconfigured sites.
  • The vulnerability is tracked as CVE-2025-3102 with a CVSS score of 8.1.
  • Over 100,000 sites use the plugin, but only a subset is exploitable.
  • A patch (version 1.0.79) was released on April 3, 2025, to address the issue.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?