Within a few hours of its public release, a recently revealed high-severity security flaw affecting ( previously SureTriggers ) has become actively exploited.
An authorization bypass bug known as CVE-2025-3102 ( CVSS score: 8.1 ) could be used by an attacker to create administrator accounts under certain circumstances and take control of hacked websites.
Due to a missing clear benefit check on the ‘secret_key’ value in the ‘autheticate_user ‘ performance in all types up to, and including, 1.0.78, the SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an identification pass, according to Wordfence’s István Márton.
When the widget is installed and activated but no configured with an API code, unauthenticated attackers can produce executive accounts on the goal website.
A powerful exploit of the vulnerability may enable an attacker to regain full control over a WordPress website, use malicious code to upload random plugins, modify the site to serve spam or malware, and even redirect site visitors to another questionable websites.
, a safety scholar, is credited with finding and reporting the flaw on March 13, 2025. Version 1. 1.0. 79 of the widget, which was released on April 3, 2025, addresses the problem.
OttoKit enables WordPress users to connect various software and addons through processes that can be used to automate repetitive tasks.
Although the plugin has over 100, 000 active deployments, it is important to point out that only a small percentage of the websites are basically vulnerable because it depends on the plugin to be in a non-configured condition despite being installed and activated.
Despite this, attackers have already jumped on the abuse trend, per Patchstack, trying to quickly profit from the disclosure of fictitious administrator accounts using the name “xtw1838783bc.”
Since it is randomized, it is very likely that the username, password, and internet moniker will be different for each abuse attempt, according to the WordPress security firm.
The attack attempts came from two distinct Internet addresses.
- 2a01: e5c0: 3167:: 2 ( IPv6 )
- 89.169.15.201 ( IPv4 )
WordPress blog owners who rely on the widget are advised to update as soon as possible to ensure maximum protection, look for suspicious admin accounts, and delete them in light of lively exploitation.