OttoKit, a WordPress automation plugin, is under active attack after a major security flaw was disclosed. Hackers are exploiting the bug to gain admin access.
The vulnerability, tracked as CVE-2025-3102, received a high CVSS score of 8.1. It allows attackers to bypass authentication and create administrator accounts without permission. Therefore, a hacker can take full control of any affected website.
The issue affects all OttoKit plugin versions up to 1.0.78. Researchers explained that a missing check on the secret_key field enabled this flaw. When the plugin is installed but not configured, attackers can exploit it with ease.
Attackers Are Already Taking Advantage
Hackers acted quickly after the flaw became public. Reports confirm multiple attempts to exploit vulnerable sites. For example, bogus admin accounts named “xtw1838783bc” and “test123123” were created.
The attacks use both IPv4 and IPv6 addresses, including:
- 89.169.15.201
- 107.173.63.224
- 2a01:e5c0:3167::2
- 2602:ffc8:2:105:216:3cff:fe96:129f
Each attempt uses random usernames and emails. Therefore, detecting them can be tricky. However, by checking for unfamiliar admin accounts, site owners can catch these intrusions early.
Only Some Sites Are Vulnerable
While OttoKit has over 100,000 installs, not all sites are at risk. The attack only works if the plugin is activated but left unconfigured. Still, even if a small portion is vulnerable, attackers can cause serious harm.
The plugin enables automated workflows between apps. Its wide use makes this bug especially concerning. Therefore, the risk of misuse is significant.
Update Now to Stay Safe
The issue was discovered on March 13, 2025. A fix was released in version 1.0.79 on April 3, 2025. Site owners using OttoKit should update immediately.
Additionally, they should:
- Remove any unknown admin accounts
- Check user activity logs
- Configure the plugin properly
- Enable security plugins and firewalls
By acting fast, WordPress admins can prevent data theft, malware, and redirect scams. Don’t wait—update and audit your site today.
Sleep well, we got you covered.
