Summary: A high-severity authentication bypass flaw (CVE-2025-3102) in the OttoKit (formerly SureTriggers) plugin for WordPress is being actively exploited by hackers just hours after its public disclosure. Users are urged to update to version 1.0.79 to mitigate risks of unauthorized access and potential site takeover. The vulnerability allows attackers to create new administrator accounts without authentication, emphasizing the urgency of applying security patches immediately.
Affected: OttoKit/SureTriggers WordPress plugin
Keypoints :
- The vulnerability affects all versions of OttoKit/SureTriggers up to 1.0.78.
- Exploitation is possible if the plugin is not configured with an API key, allowing the stored secret_key to remain empty.
- Hackers can exploit the vulnerability by sending an empty `st_authorization` header, gaining unauthorized access to API endpoints.
- First exploitation attempts were logged just four hours after the vulnerability was disclosed.
- Users are recommended to upgrade to version 1.0.79 immediately and check system logs for suspicious activity.
Views: 19
简体中文
Nederlands
Français
Bahasa Indonesia
日本語
Português