Summary: A high-severity security vulnerability (CVE-2025-3102) in the OttoKit plugin for WordPress allows unauthorized attackers to create admin accounts, gaining control over affected websites. Exploit attempts have already begun following its disclosure, highlighting the urgency for users to implement security updates. The flaw stems from a missing check on the ‘secret_key’ value, affecting all versions up to 1.0.78.
Affected: OttoKit plugin for WordPress
Keypoints :
- Vulnerability allows unauthorized admin account creation on WordPress sites with OttoKit installed but not configured.
- Exploitation can lead to complete site control, enabling malicious modifications, spam, and malware distribution.
- Site owners are urged to update to version 1.0.79 and check for suspicious admin accounts immediately.
Source: https://thehackernews.com/2025/04/ottokit-wordpress-plugin-admin-creation.html