A newly found security issue in a widely used WordPress tool called OttoKit (previously called SureTriggers) has opened the door for cybercriminals to take over websites. Within just a few hours of the problem being shared publicly, hackers began trying to take advantage of it.
OttoKit is a plugin that helps website owners link their WordPress sites with other services such as Google Sheets, Mailchimp, or online stores like WooCommerce. This tool makes it easy to create automated actions—like sending emails or updating customer lists—without needing to write any code. Over one lakh websites currently rely on this plugin.
The major issue, which affects all versions up to 1.0.78, allows outsiders to get into a website without logging in. This means attackers can skip the usual login checks and gain access to important parts of the site.
The root of the problem comes from how the plugin handles security keys. If the plugin was set up without an API key, the internal “secret code” remains blank. Hackers can then send a fake request without any real login details, and the system mistakenly lets them in.
This bug lets bad actors create new admin-level users, giving them the ability to fully control the site— change settings, install software, or even lock the real owner out.
A cybersecurity researcher who goes by the name 'mikemyers' discovered this error and reported it responsibly. On April 3, the plugin creators fixed the issue and released an updated version, 1.0.79, which closes the security hole.
Unfortunately, attackers were fast to act. Experts from Patchstack, a company that tracks WordPress security, said they noticed the first hacking attempts just four hours after the bug was made public. Hackers used automated tools to create random admin accounts, hoping to break into websites that hadn’t yet been updated.
This case highlights how important it is to quickly install software updates, especially when they fix security flaws.
If your site uses OttoKit or SureTriggers, it is strongly advised to upgrade to version 1.0.79 immediately. Also, check your user accounts for anything unusual—like new admins you didn’t create as well as any strange activity involving plugins, themes, or database access.
