Published on April 11, 2025 | Category: tech

WordPress plugin auth bypass exploited almost immediately after disclosure

News

By Sead Fadilpašić published 11 April 2025

Just hours after a bug were disclosed, hackers started scanning

Image credit: Shutterstock (Image credit: Shutterstock)

A bug in OttoKit allows threat actors to create new admin accounts
The bug can lead to full website takeover
More than 100,000 websites are at risk

Almost immediately after being disclosed to the public, a vulnerability in a WordPress plugin was used in an attack, security researchers have warned.

Earlier this week, security outfit Wordfence disclosed an authentication bypass in OttoKit, the all-in-one workflow authentication platform. The vulnerability is tracked as CVE-2025-3102, and was given a severity score 8.1/10 (high).

It affects all versions of the plugin up to 1.0.78, and allows threat actors to create new administrator accounts without authentication. The accounts can then be used for full website takeover, posing immense risk for hundreds of thousands of WordPress-powered websites using this plugin. The WordPress website showed “100,000+ active installations."

Monitor your credit score with TransUnion starting at $29.95/month

TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.

Preferred partner (What does this mean?)

View Deal

Hours to attack

The first clean version is 1.0.79 although at the moment, version 1.0.80 is available for download. Users are advised to upgrade their plugin to the newest version as soon as possible, especially since in-the-wild abuse was already observed.

According to Patchstack, the first attempts at exploiting the flaw were logged just “hours” after the flaw was disclosed, BleepingComputer reported.

“Attackers were quick to exploit this vulnerability, with the first recorded attempt occurring just four hours after it was added as a vPatch to our database,” reports Patchstack. “This swift exploitation highlights the critical need to apply patches or mitigations immediately upon the public disclosure of such vulnerabilities,” the researchers said.

To make matters worse, there is evidence pointing to the attacks being automated, meaning thousands of websites could quickly be compromised.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

OttoKit is an all-in-one workflow automation platform designed to connect applications, services, and WordPress plugins. It allows users to automate repetitive tasks and streamline business processes. It was formerly known as SureTriggers, and supports integration with more than 1,000 apps.

WordPress’ plugins and themes are almost constantly being scanned for vulnerabilities. Website owners are advised to uninstall and disable all the ones they’re not using at any given moment, and keep the ones they do up to date.

Via BleepingComputer

Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Thousands of WordPress websites hit in new malware attack, here's what we know WordPress users beware - these popular theme plugins have some major security issues Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw This top WordPress plugin could be hiding a worrying security flaw, so be on your guard Thousands of WordPress sites targeted with malicious plugin backdoor attacks SonicWall firewalls hit by worrying cyberattack Over 10,000 WordPress sites found showing fake Google browser update pages to spread malware A key WordPress feature has been hijacked to show malicious code, spam images Palo Alto Networks PAN-OS sees authentication bypass under attack from hackers Millions of airline customers possibly affected by OAuth security flaw US government warns agencies to make sure their backups are safe from NAKIVO security issue SonicWall VPN flaw could allow hackers to hijack your sessions, so patch now

Latest in Security

WordPress plugin auth bypass exploited almost immediately after disclosure Operation Endgame follow-up leads to detentions across Smoakloader ecosystem ESET security scanner vulnerability used to deploy TCESB malware Immutable backup storage is the best protection against ransomware, but many businesses don’t have it US businesses are the top target for ransomware in 2025 so far AkiraBot network hits thousands of sites with CAPTCHA bypassing AI spam This critical FortiSwitch flaw allows hackers to change admins passwords, and they can even do it remotely Google unveils new security AI agents to keep your business safe from the latest threats Google Unified Security brings the power of AI to your security suite Panda Dome review Spyware combing for data 'of use to China' hidden inside religious and cultural apps Hackers go after influencers and content creators to hit followers with malware, steal data

Latest in News

The Future Games Show Summer Showcase is back this year, just a couple of days after Nintendo Switch 2's launch WordPress plugin auth bypass exploited almost immediately after disclosure Google Docs' new AI voice will help you catch mistakes "AI is simplifying technology itself" - Google Cloud CEO outlines AI hopes, tariff strategy and plans for future data centers OpenAI just upgraded memory for ChatGPT – here's everything you need to know Yes, Nintendo Switch 2 Edition games will contain the upgrades on the cartridge, but it seems Breath of the Wild DLC will still need to be purchased separately Valve leak hints that its next VR headset could be landing sooner than we realized The hottest new AI image trend is Sora users begging for new features using its built-in image generation features, and I’m here for it Nintendo says its divisive Game-Key Cards will help 'future-proof' the Switch 2 Nvidia RTX 5060 Ti benchmark leak hints at performance boost over its predecessor – but it won’t matter if it doesn’t stay at retail price Samsung Galaxy Z Fold 7 colors: every rumored and predicted shade Is Microsoft getting truly desperate with adverts now? I’m seriously unimpressed with a new ‘suggestion’ to buy Avowed in Windows 10 and Windows 11

WordPress plugin auth bypass exploited almost immediately after disclosure

WordPress plugin auth bypass exploited almost immediately after disclosure

Hours to attack

Are you a pro? Subscribe to our newsletter

You might also like

You must confirm your public display name before commenting

Related Articles

Spotify is about to be flooded with AI-made ads, and I wonder if it will make much of a difference to businesses

CinemaCon 2025 live – first Avatar 3 reaction, juicy Fantastic Four news,

NYT Wordle today — answer and my hints for game #1385, Friday, April 4