Website owners using the OttoKit WordPress plugin, formerly known as SureTriggers, are being urged to take immediate action due to a serious security flaw. The OttoKit WordPress plugin vulnerability has put over 100,000 websites at risk. Two major flaws, tracked as CVE-2025-27007 and CVE-2025-3102, allow attackers to gain admin-level access without needing to log in. This means hackers can hijack sites, add rogue accounts, and take control of critical settings with little effort.

The first vulnerability (CVE-2025-27007) is tied to how the plugin connects to WordPress installations that don’t use application passwords. Without this basic layer of protection, it becomes easier for an attacker to exploit the system. The second flaw (CVE-2025-3102), which has been under active attack since April 2025, lets threat actors create new admin accounts—giving them full access without raising alarms.

Researchers have already seen scans and exploitation attempts in the wild. Hackers are actively hunting down sites that haven’t been updated, hoping to slip through these cracks before they’re patched. Unfortunately, many website owners may not be aware their site is at risk—especially if they haven’t updated plugins recently or rely on auto-installs that miss patch notes.

If you’re running OttoKit, the best thing you can do right now is update to version 1.0.83. This release fixes both vulnerabilities and stops attackers from using these specific entry points. Delaying even a few days can leave your site wide open, especially with exploits now circulating publicly.

Cybersecurity experts are calling this a high-priority issue for WordPress users. The longer these flaws stay unpatched, the more likely it is that sites will be compromised. Don’t wait for damage to happen—take action today.

News Source: thehackernews.com

Don’t wait for a breach. For expert updates on WordPress plugin flaws, visit SOC News Today.