04/09/2025-04/16/2025 Critical Apache Roller Vulnerability, Incomplete Patching Leaves Nvidia, Docker Exposed to DOS Attacks, Vulnerability in OttoKit WordPress Plugin And More.

1. Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence

A critical vulnerability (CVE-2025-24859, CVSS score: 10.0) has been discovered in Apache Roller, an open-source Java-based blogging platform, affecting versions up to 6.1.4. The flaw allows attackers to retain access through existing sessions even after a user changes their password, posing serious security risks. This is due to improper invalidation of active sessions, enabling continued unauthorized access if credentials were compromised. The issue has been fixed in version 6.1.5 with centralized session management that terminates sessions when passwords are changed or users are disabled. This comes amid other high-severity Apache issues, including a critical bug in Apache Parquet’s Java Library (CVE-2025-30065) allowing code execution, and a recent exploit targeting Apache Tomcat (CVE-2025-24813).

2. Malicious PyPI Package Targets MEXC Trading API to Steal Credentials and Redirect Orders

Cybersecurity researchers have uncovered a malicious Python package, ccxt-mexc-futures, on the PyPI repository that rerouted trading orders on the MEXC exchange to a malicious server, stealing crypto tokens and sensitive data. Masquerading as an extension of the legitimate ccxt library, the package was downloaded over 1,000 times before removal. It secretly modified MEXC-related APIs to redirect user requests to attacker-controlled domains, enabling unauthorized access and arbitrary code execution. The malicious code targeted three core ccxt functions—describe, sign, and prepare_request_headers—and exfiltrated API keys to a fake MEXC domain. Users are urged to revoke exposed tokens and uninstall the package immediately. This discovery comes amid growing concerns about supply chain attacks, including counterfeit packages across npm, PyPI, and other ecosystems. New research also warns that AI models can “hallucinate” non-existent packages, potentially leading developers to install malicious code—an emerging threat known as slopsquatting.

3. Hackers Exploit WordPress Plugin Auth Bypass Hours After Disclosure

Hackers began exploiting a high-severity authentication bypass flaw (CVE-2025-3102) in the OttoKit (formerly SureTriggers) WordPress plugin just hours after it was publicly disclosed. The vulnerability affects versions up to 1.0.78 and allows attackers to create admin accounts without authentication, risking full site takeover. The issue stems from a missing check in the authenticate_user() function when no API key is set, allowing an attacker to send an empty st_authorization header to gain unauthorized access. OttoKit, used on over 100,000 websites to automate tasks with tools like WooCommerce and Mailchimp, released a fix in version 1.0.79 on April 3.Users are strongly urged to upgrade to version 1.0.79.

4. Incomplete Patching Leaves Nvidia, Docker Exposed to DOS Attacks

A critical race condition bug (CVE-2024-0132) in the Nvidia Container Toolkit remains exploitable despite multiple patches. Rated CVSS 9.0, the Time-of-Check Time-of-Use (TOCTOU) flaw could allow crafted container images to access the host file system, leading to container escapes, code execution, or data theft. Trend Micro found that versions 1.17.3 and earlier are still vulnerable, while version 1.17.4 can be exploited if the optional feature “allow-cuda-compat-libs-from-containers” is enabled. The bug can also trigger a denial-of-service (DoS) attack on Docker for Linux by bloating the mount table and exhausting file descriptors, potentially locking users out.

Attackers could chain exploits to gain root access and launch a DoS using malicious container images. Nvidia’s patch, issued in September 2024 and updated in February 2025, may still be incomplete. Trend Micro advises disabling the optional rollback feature and restricting Docker API access to prevent exploitation and maintain system integrity.

5. Vulnerability in OttoKit WordPress Plugin Exploited in the Wild

A high-severity vulnerability (CVE-2025-3102, CVSS 8.1) in the OttoKit WordPress plugin is being actively exploited, potentially exposing over 100,000 websites to takeover. Formerly known as SureTriggers, OttoKit allows admins to automate tasks and connect apps and plugins.

The flaw stems from a missing check in a permission function. If OttoKit is installed but not configured with an API key, an attacker can submit an empty secret key, matching the plugin’s database, and gain access to REST API endpoints. This allows the creation of admin accounts, enabling attackers to upload malicious files, inject spam, or redirect users.

Only unconfigured installations are vulnerable, but Defiant confirms real-world exploitation. Users are urged to update to version 1.0.79 or later, which includes a fix released on April 3.