OttoKit WordPress Plugin Hacked: How 100K+ Sites Fell Prey to Sneaky Exploits 🕵️‍♂️💻

Imagine installing a shiny WordPress plugin to automate your site’s workflows, only to discover it’s a Trojan horse that hands hackers the keys to your digital kingdom. That’s the nightmare unfolding for over 100,000 websites using the OttoKit WordPress plugin (formerly SureTriggers), hit by two critical vulnerabilities in April and May 2025. 😱 Tracked as CVE-2025–3102 and CVE-2025–27007, these flaws let attackers create rogue admin accounts without authentication, sparking a wave of exploits that began just hours after disclosure. Let’s dive into the technical trickery, unpack how hackers are hijacking sites, and share tips to keep your WordPress fortress secure. 🚨

What’s OttoKit, and Why the Fuss? 🤔

OttoKit is a popular automation and integration plugin that lets WordPress admins connect their sites to tools like WooCommerce, Mailchimp, and Google Sheets, automating tasks like sending emails or updating CRMs. With 100,000+ active installations, it’s a staple for bloggers, e-commerce stores, and businesses. But in April 2025, two critical flaws turned OttoKit into a hacker’s playground:

• CVE-2025–3102 (CVSS: 8.1): An authentication bypass flaw that lets attackers create admin accounts on unconfigured sites.