CVE-2025-3102: 
WordPress vulnerability analysis and mitigation

The SureTriggers (now OttoKit) WordPress plugin contains a critical authentication bypass vulnerability (CVE-2025-3102) that affects all versions up to and including 1.0.78. The vulnerability was discovered by security researcher 'mikemyers' on March 13, 2025, and was patched in version 1.0.79 released on April 3, 2025. This plugin, which provides automation capabilities for WordPress sites, has over 100,000 active installations (Hacker News).

The vulnerability stems from a missing empty value check on the 'secretkey' value in the 'authenticateuser' function. The flaw has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-697 (Incorrect Comparison) and specifically affects installations where the plugin is activated but not configured with an API key (NVD).

When successfully exploited, the vulnerability allows unauthenticated attackers to create administrator accounts on the target website. This access could enable attackers to gain complete control over a WordPress site, upload arbitrary plugins, make malicious modifications to serve malware or spam, and redirect site visitors to malicious websites (Hacker News).

Users are strongly advised to update to version 1.0.79 or later immediately. Site administrators should also check for suspicious admin accounts and remove them if found. It's important to note that while the plugin has over 100,000 installations, only sites where the plugin is installed and activated but not configured with an API key are vulnerable (Hacker News).