Critical OttoKit WordPress Plugin vulnerability patched after active exploitation
Take action: If you're using the OttoKit WordPress plugin, update IMMEDIATELY to version 1.0.83 or later. The flaw is actively exploited and your Wordpress is exposed to the internet. DON'T DELAY, updating a plugin is trivial. After updating, check your user accounts for any unauthorized administrator accounts that may have been created by attackers.
Learn More
Patchstack has disclosed a critical vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin that affects over 100,000 active installations.
The flaw is tracked as CVE-2025-27007 (CVSS score 9.8) is an Unauthenticated privilege escalation vulnerability in OttoKit WordPress plugin, allowing attackers to obtain full control of websites via the plugin's API, including the ability to create administrator-level user accounts.
The vulnerability stems from a logic error in the plugin's create_wp_connection function, which incorrectly handles responses from WordPress's wp_authenticate_application_password function. The flaw also involves insufficient verification of user-provided access tokens. This combination of issues creates a critical security gap on websites where administrators have not set an application password.
Exploitation attempts began approximately 90 minutes after the vulnerability's public disclosure on May 5, 2025. Attackers have been observed targeting specific REST API endpoints with requests that mimic legitimate integration attempts:
/wp-json/sure-triggers/v1/connection/create-wp-connection?rest_route=/wp-json/sure-triggers/v1/connection/create-wp-connection
The attackers use guessed or brute-forced administrator usernames with random passwords and fake access keys to establish unauthorized connections. Once successful, they issue follow-up API calls to create rogue administrator accounts, which happens silently on vulnerable installations.
This marks the second critical severity flaw in OttoKit exploited since April 2025,
Brainstorm Force, the developer of OttoKit, released a patch in version 1.0.83 on April 21, 2025, which corrects the logic error and adds additional validation for access keys used in connection requests. The WordPress.org Plugins Team pushed a forced update, and by April 24, nearly all installations had been updated to the patched version.
Website administrators using the OttoKit plugin should ensure they have updated to at least version 1.0.83 immediately and review logs and site settings for indicators of compromise - especially check for newly created administrator accounts that may have been added by attackers.
Update - as of 14th of July 2024, Update – Brainstorm Force claims that there is no evidence of real-world exploitation related to CVE-2025-27007. Per the vendor, the issue was resolved in version 1.083 which was apparently forced auto-update via the WordPress.org Plugins team.
The team at BeyondMachines just cares that as many people as possible are aware of the issue and use a patched product.
