A newly found security issue in a widely used WordPress tool called OttoKit (previously called SureTriggers) has opened the door for cybercriminals to take over websites. Within just a few hours of the problem being shared publicly, hackers began trying to take advantage of it.
OttoKit is a plugin that helps website owners link their WordPress sites with other services such as Google Sheets, Mailchimp, or online stores like WooCommerce. This tool makes it easy to create automated actions—like sending emails or updating customer lists—without needing to write any code. Over one lakh websites currently rely on this plugin.
The major issue, which affects all versions up to 1.0.78, allows outsiders to get into a website without logging in. This means attackers can skip the usual login checks and gain access to important parts of the site.
The root of the problem comes from how the plugin handles security keys. If the plugin was set up without an API key, the internal “secret code” remains blank. Hackers can then send a fake request without any real login details, and the system mistakenly lets them in.
This bug lets bad actors create new admin-level users, giving them the ability to fully control the site— change settings, install software, or even lock the real owner out.
A cybersecurity researcher who goes by the name ‘mikemyers’ discovered this error and reported it responsibly. On April 3, the plugin creators fixed the issue and released an updated version, 1.0.79, which closes the
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.