Ethical Hacking News
A newly discovered high-severity vulnerability in OttoKit has raised concerns among WordPress site owners, leaving many wondering if they can trust the plugin that was once touted as a solution for automating workflows. To understand the context of this alert and how it affects users, read the full article about the OttoKit WordPress Plugin Admin Creation Vulnerability Under Active Exploitation.
OttoKit plugin, used for automating workflows on WordPress sites, has been hit by a high-severity security flaw (CVE-2025-3102) allowing attackers to create administrator accounts. The vulnerability was discovered by Michael Mazzolini in March 2025 and is currently under active exploitation. Only a subset of installations may be at risk, with the majority requiring non-configured state yet still installed and activated. Security experts advise users to apply the latest updates as soon as possible for optimal protection. To check for malicious administrator accounts, follow these steps: check 'wp-admin' login page, look for randomly generated usernames, and confirm administrative capabilities. Risks associated with exploiting this vulnerability include malicious modifications, redirects to sketchy websites, and full control over the website's admin panel. Upgrading to version 1.0.79 of the plugin can minimize risk by fixing the issue.
OttoKit, a popular plugin for automating workflows and connecting different apps to WordPress sites, has recently been hit by a high-severity security flaw that is currently under active exploitation. The vulnerability, tracked as CVE-2025-3102 with a CVSS score of 8.1, can permit an attacker to create administrator accounts on susceptible websites due to a missing empty value check in the 'autheticate_user' function of the plugin, leaving WordPress site owners to worry about potential breaches and malicious activities.
The vulnerability was discovered by security researcher Michael Mazzolini (aka mikemyers) on March 13, 2025. Following its public disclosure, attackers began jumping into exploit this newly disclosed flaw in the hopes of taking control of WordPress sites. According to Patchstack, attackers have already started attempting to capitalize on the discovery by creating bogus administrator accounts with randomly generated usernames, passwords, and email aliases.
Despite being reported as having over 100,000 active installations, only a subset of these websites may be at risk due to them needing to be in a non-configured state yet still installed and activated. In light of this information, security experts advise site owners who rely on the plugin to apply the latest updates as soon as possible for optimal protection.
To check if an administrator account has been created with malicious intent and remove it from the website, WordPress users can follow these steps:
1) Check the 'wp-admin' login page.
2) Look out for a randomly generated username that does not seem correct or familiar.
3) Confirm whether this user has any administrative capabilities.
Security experts have stressed that exploiting this vulnerability can lead to several risks and dangers including:
1. Malicious modifications made on the site, including uploading of arbitrary plugins and content.
2. The capability to redirect visitors to sketchy websites.
3. Complete control over the website's administrative panel, enabling an attacker to take full control.
To avoid falling prey to such attacks and protect themselves from potential security threats, WordPress users relying on the plugin are advised to update their installation as soon as possible. In this regard, version 1.0.79 of the plugin has already been released by OttoKit with a fix for the issue. By upgrading to this latest version, users can significantly minimize their risk.
The attack attempts originating from two different IP addresses - IPv6 address '2a01:e5c0:3167::2' and IPv4 address '89.169.15.201' - demonstrate how quickly attackers can jump on a newly discovered vulnerability in order to exploit it. This highlights the importance of staying updated with security patches and keeping an eye out for malicious activity.
OttoKit is now working closely with WordPress security experts and the broader security community to provide support and guidance to affected users. Those seeking further assistance or have concerns about their website's security are encouraged to get in touch with them directly for personalized advice and solutions.
Related Information:
https://www.ethicalhackingnews.com/articles/OttoKit-WordPress-Plugin-Admin-Creation-Vulnerability-Under-Active-Exploitation-A-Critical-Security-Alert-ehn.shtml
https://thehackernews.com/2025/04/ottokit-wordpress-plugin-admin-creation.html
https://thenimblenerd.com/article/wordpress-chaos-ottokit-flaw-sparks-frenzy-update-now-or-regret-later/
https://nvd.nist.gov/vuln/detail/CVE-2025-3102
https://www.cvedetails.com/cve/CVE-2025-3102/
Published: Fri Apr 11 01:33:20 2025 by llama3.2 3B Q4_K_M
