Threat Actors Exploit High-Severity Bypass Vulnerability in WordPress Plugin
April 11, 2025
Security researchers spotted threat actors exploiting a severe WordPress plugin vulnerability almost immediately after the flaw’s disclosure.
Authentication bypass vulnerability in WordPress plugin
An authentication bypass vulnerability affecting the OttoKit (formerly SureTriggers) WordPress plugin was recently disclosed.
The flaw, tracked as CVE-2025-3102, affects versions 1.0.78 and earlier of the plugin. If exploited, it could let threat actors bypass authentication and create new administrator accounts to hijack the website completely.
The plugin vendor, which became aware of the flaw on April 3, released patched version 1.0.79 on the same day.
However, threat actors wasted no time, exploiting the flaw in the short period between the vulnerability’s disclosure and the release of the patched version.
Technical details about the flaw
The risks associated with CVE-2025-3102 derive from a faulty plugin function that handles REST API authentication.
More precisely, the authenticate_user() function misses an empty value check. If the plugin is not properly configured and lacks an API key, the secret_key value remains empty, facilitating exploitation.
In an attack scenario, a threat actor could leverage an empty st_authorization header to bypass authorization.
Attackers could weaponize compromised websites
According to a security advisory from WordPress security company Wordfence, attackers could weaponize compromised websites for further malicious purposes:
Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.
Website administrators using the OttoKit WordPress plugin are advised to update to version 1.0.79 to avoid attacks exploiting the CVE-2025-3102 flaw.
Staying safe against weaponized websites and other threats
Specialized software like Bitdefender Ultimate Security can protect you against hijacked websites that may push malware to your system or redirect you to other malicious websites.
It detects and deters viruses, Trojans, worms, zero-day exploits, spyware, rootkits, ransomware, and other digital threats.
Key features include web attack prevention, anti-phishing, network threat prevention, behavioral detection for active apps, complete real-time data protection, cryptojacking protection and AI-powered scam detection.
tags
Author
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsRight now Top posts
Outpacing Cyberthreats: Bitdefender Together with Scuderia Ferrari HP in 2025
March 12, 2025
Streamjacking Scams On YouTube Leverage CS2 Pro Player Championships to Defraud Gamers
February 20, 2025
How to Identify and Protect Yourself from Gaming Laptop Scams
February 11, 2025
Your Device ‘Fingerprint’ Will Go to Advertisers Starting February 2025
December 24, 2024
FOLLOW US ON SOCIAL MEDIA
You might also like
Bookmarks
