Hackers are exploiting a essential unauthenticated privilege escalation vulnerability within the OttoKit WordPress plugin to create rogue admin accounts on focused websites.
OttoKit (previously SureTriggers) is a WordPress automation and integration plugin utilized in over 100,000 websites, permitting customers to attach their web sites to third-party companies and automate workflows.
Patchstack obtained a report a few essential vulnerability in OttoKit on April 11, 2025, from researcher Denver Jackson.
The flaw, tracked below the identifier CVE-2025-27007, permits attackers to realize administrator entry by way of the plugin’s API by exploiting a logic error within the ‘create_wp_connection’ operate, bypassing authentication checks when software passwords aren’t set.
The seller was knowledgeable the subsequent day, and a patch was launched on April 21, 2025, with OttiKit model 1.0.83, including a validation examine for the entry key used within the request.
By April 24, 2025, most plugin customers had been force-updated to the patched model.
Now exploited in assaults
Patchstack revealed its report on Could 5, 2025, however a brand new replace warns that exploitation exercise began roughly 90 minutes after public disclosure.
Attackers tried exploitation by concentrating on REST API endpoints, sending requests mimicking reliable integration makes an attempt, utilizing ‘create_wp_connection’ with guessed or brute-forced administrator usernames, random passwords, and pretend entry keys and e-mail addresses.
As soon as the preliminary exploit was profitable, attackers issued follow-up API calls to ‘/wp-json/sure-triggers/v1/automation/motion’ and ‘?rest_route=/wp-json/sure-triggers/v1/automation/motion,’ together with the payload worth: “type_event”: “create_user_if_not_exists.”
On susceptible installations, this silently creates new administrator accounts.
“It’s strongly beneficial to replace your web site as quickly as potential if you’re utilizing the OttoKit plugin, and to overview your logs and web site settings for these indicators of assault and compromise,” suggests Patchstack.
That is the second essential severity flaw in OttoKit that hackers have exploited since April 2025, with the earlier being one other authentication bypass bug tracked as CVE-2025-3102.
Exploitation of that flaw began on the identical day of disclosure, with menace actors trying to create rogue administrator accounts with randomized usernames, passwords, and e-mail addresses, indicating automated makes an attempt.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and how you can defend towards them.
