WordPress Plugins Security Vulnerabilities
May 2025
WordPress remains the world’s most popular content management system, powering over 40% of all websites. However, its vast ecosystem of plugins and themes continues to be a prime target for cybercriminals. In May 2025, several critical vulnerabilities were disclosed, underscoring the importance of proactive security measures for site administrators.
1. OttoKit (SureTriggers) – Admin Account Creation via Auth Bypass (CVE-2025-3102)
Severity: Critical (CVSS 9.8)
Impact: Complete site compromise, remote code execution.
Status: Patched in latest update.
Active Exploitation: Observed in the wild.3
A severe vulnerability was identified in the Crawlomatic plugin, which allows unauthenticated attackers to upload arbitrary files, leading to remote code execution. This flaw affects versions up to 2.6.8.1 and has been assigned a CVSS score of 9.8, indicating critical severity. Users are urged to update to the latest version immediately to mitigate potential exploitation.
2. Privilege Escalation in OttoKit Plugin (CVE-2025-3102)
Severity: High
Impact: Unauthorized administrative access, full control of affected sites.
Status: Fixed in version 1.0.83.
Active Exploitation: Actively exploited since early May 2025.
The OttoKit plugin, installed on over 100,000 websites, was found to have a logic error that permits unauthenticated users to create administrator-level accounts via its API. Exploitation of this vulnerability began as early as May 2, 2025, with mass attacks observed shortly thereafter. Administrators should update to version 1.0.83 to address this issue.
3. Unauthorized Admin Account Creation in Eventin Plugin (CVE-2025-47539)
Severity: Critical
Impact: High risk of unauthorized admin access.
Status: Patched in version 4.0.27.
Active Exploitation: Exploits detected, widespread attacks.
A critical flaw in the Eventin plugin allows attackers to create administrator accounts without authentication. The vulnerability stems from an unsecured REST API endpoint responsible for speaker imports. With over 10,000 websites using Eventin, the potential impact is significant. Updating to version 4.0.27 is essential to secure affected sites.
4. Cross-Site Request Forgery in ALT Monitoring Plugin (CVE-2025-4194)
Severity: Medium
Impact: Potential unauthorized changes, data compromise.
Status: Plugin temporarily withdrawn pending security review.
Active Exploitation: No confirmed exploits yet.
The ALT Monitoring plugin, up to version 1.0.3, contains a CSRF vulnerability due to missing nonce validation on its edit page. This flaw allows attackers to trick administrators into executing unauthorized actions, potentially compromising site integrity. The plugin has been temporarily removed pending a security review, and users are advised to deactivate it until a patched version is available.
5. Surge in Plugin Vulnerabilities
Severity: Varies (medium to critical)
Impact: Increased risk of exploitation across numerous plugins.
Status: Partial patches; numerous plugins awaiting updates.
Active Exploitation: Exploitation attempts observed across multiple plugins.
Reports indicate a significant increase in disclosed vulnerabilities within the WordPress ecosystem. For instance, between May 5 and May 11, 2025, 222 vulnerabilities were reported across 202 plugins and 2 themes . Similarly, another report highlighted 234 new vulnerabilities, with 92 remaining unpatched . This trend emphasizes the need for continuous monitoring and timely updates.
Conclusion
The disclosed vulnerabilities highlight the persistent security challenges within the WordPress ecosystem. Site administrators must remain vigilant, ensuring all plugins and themes are regularly updated and monitoring for any unusual activity. Employing security plugins, implementing strong authentication measures, and staying informed about emerging threats are crucial steps in safeguarding WordPress websites against potential exploits.