A bypass vulnerability in a WordPress plugin was exploited almost immediately after it was disclosed.

A vulnerability has been detected in the OttoKit plugin for WordPress, which allows malicious actors to create new administrator accounts without authentication. This flaw, classified as CVE-2025-3102 and rated with a severity score of 8.1 out of 10, affects all versions of the plugin up to 1.0.78, putting over 100,000 websites that use it at risk.

Security researchers reported that shortly after the vulnerability was made public, attacks began to register. Less than four hours after the disclosure, the first exploitation attempts were documented. This rapid response from attackers underscores the crucial need to apply patches or mitigations immediately following the public disclosure of such vulnerabilities.

The corrected version of the plugin is 1.0.79, although version 1.0.80 is currently available. Users are advised to update to the latest version without delay, especially given the abuse already observed in the environment. Additionally, it has been indicated that these attacks could be automated, which could quickly compromise thousands of websites.

OttoKit is a workflow automation platform that connects applications, services, and WordPress plugins, allowing users to automate repetitive tasks. Previously known as SureTriggers, it supports integration with over 1,000 applications.

It is essential for WordPress website owners to keep all their plugins and themes updated and to uninstall or deactivate those that are not in use.