A second security flaw impacting the OttoKit (previously SureTriggers) WordPress plugin has come underneath lively exploitation within the wild.
The vulnerability, tracked as CVE-2025-27007 (CVSS rating: 9.8), is a privilege escalation bug impacting all variations of the plugin previous to and together with model 1.0.82.
“That is as a result of create_wp_connection() perform lacking a functionality test and insufficiently verifying a person’s authentication credentials,” Wordfence stated. “This makes it doable for unauthenticated attackers to ascertain a connection, which finally could make privilege escalation doable.”
That stated, the vulnerability is exploitable solely in two doable situations –
- When a website has by no means enabled or used an software password, and OttoKit has by no means been related to the web site utilizing an software password earlier than
- When an attacker has authenticated entry to a website and may generate a legitimate software password
Wordfence revealed that it noticed the menace actors trying to take advantage of the preliminary connection vulnerability to ascertain a reference to the location, adopted by utilizing it to create an administrative person account by way of the automation/motion endpoint.
Moreover, the assault makes an attempt concurrently purpose for CVE-2025-3102 (CVSS rating: 8.1), one other flaw in the identical plugin that has additionally been exploited within the wild since final month.
This has raised the likelihood that the menace actors are opportunistically scanning WordPress installations to see if they’re vulnerable to both of the 2 flaws. The IP addresses which have been noticed concentrating on the vulnerabilities are listed beneath –
- 2a0b:4141:820:1f4::2
- 41.216.188.205
- 144.91.119.115
- 194.87.29.57
- 196.251.69.118
- 107.189.29.12
- 205.185.123.102
- 198.98.51.24
- 198.98.52.226
- 199.195.248.147
Provided that the plugin has over 100,000 lively installations, it is important that customers transfer rapidly to use the most recent patches (model 1.0.83).
“Attackers could have began actively concentrating on this vulnerability as early as Might 2, 2025 with mass exploitation beginning on Might 4, 2025,” Wordfence stated.
