module
WordPress SureTriggers (aka OttoKit) Combined Auth Bypass (CVE-2025-3102, CVE-2025-27007)
| Disclosed |
|---|
| Mar 13, 2025 |
Disclosed
Mar 13, 2025
Description
Exploits two distinct authorization bypasses in SureTriggers/OttoKit plugin:
- CVE-2025-3102: admin creation via St-Authorization Bearer (empty)
- CVE-2025-27007: reset access key via connection endpoint & admin creation with Bearer header
- CVE-2025-3102: admin creation via St-Authorization Bearer (empty)
- CVE-2025-27007: reset access key via connection endpoint & admin creation with Bearer header
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.