What the vulnerability does
01Description
The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.
Explanation of Vulnerability in Simple Terms
02Summary
OttoKit versions up to 1.0.78 contain a vulnerability that allows an attacker to read sensitive data, modify site content, or disrupt service availability. The attack requires network access and specific technical conditions but no authentication. The exact mechanism is not fully documented in available sources.
What an attacker can do
03Attacker Capabilities
Read sensitive data, modify content, or disrupt the site without logging in.
Potential impact on your site
04Site Impact
Confidential data exposure, unauthorized content changes, or service downtime affecting site operations.
Conditions required to exploit
05Prerequisites
Network access; specific technical conditions must be met (high attack complexity).
Key dates
06Disclosure timeline
April 10, 2025
CVE published
April 8, 2026
Record updated