Hackers exploit a critical vulnerability that bypasses authentication in the OttoKit plugin for WordPress.
A critical vulnerability has been discovered in the popular WordPress plugin OttoKit, which is being actively exploited. The vulnerability (CVE-2025-3102) allows attackers to gain unauthorized access to APIs and even create administrator accounts without logging in.
The plugin is active on about 100,000 websites and allows users to connect and automate tools such as WooCommerce, Mailchimp, and Google Sheets without code.
What’s the Issue?
The problem lies in the authenticate_user() function of the REST API. If the plugin has not set an API key, an internal key remains empty and is not properly checked. A hacker can therefore gain access by sending an empty st_authorization header.
read also
10,000 WordPress websites turned into malware distribution center
On April 3, security specialist Wordfence was notified of the vulnerability, after which the company behind the plugin was immediately contacted. That same day, Ottokit rolled out a patch via version 1.0.79. The update process was rather slow, and hackers quickly took advantage of this. “Attackers exploited this vulnerability rapidly; just four hours after the vulnerability was disclosed,” says security company Patchstack.
What Should You Do?
Update OttoKit to version 1.0.79. Afterward, check your user list for suspicious administrator accounts with random usernames or unknown email addresses. Finally, review logs for suspicious activities such as plugin installations, changes to security settings, or database actions.
Administrators are advised to always apply security updates as quickly as possible.