Hackers are exploiting a crucial unauthenticated privilege escalation vulnerability within the OttoKit WordPress plugin to create rogue admin accounts on focused websites.
OttoKit (previously SureTriggers) is a WordPress automation and integration plugin utilized in over 100,000 websites, permitting customers to attach their web sites to third-party companies and automate workflows.
Patchstack acquired a report a couple of crucial vulnerability in OttoKit on April 11, 2025, from researcher Denver Jackson.
The flaw, tracked beneath the identifier CVE-2025-27007, permits attackers to achieve administrator entry through the plugin’s API by exploiting a logic error within the ‘create_wp_connection’ perform, bypassing authentication checks when utility passwords aren’t set.
The seller was knowledgeable the subsequent day, and a patch was launched on April 21, 2025, with OttiKit model 1.0.83, including a validation examine for the entry key used within the request.
By April 24, 2025, most plugin customers had been force-updated to the patched model.
Now exploited in assaults
Patchstack revealed its report on Might 5, 2025, however a brand new replace warns that exploitation exercise began roughly 90 minutes after public disclosure.
Attackers tried exploitation by focusing on REST API endpoints, sending requests mimicking reputable integration makes an attempt, utilizing ‘create_wp_connection’ with guessed or brute-forced administrator usernames, random passwords, and pretend entry keys and electronic mail addresses.
As soon as the preliminary exploit was profitable, attackers issued follow-up API calls to ‘/wp-json/sure-triggers/v1/automation/motion’ and ‘?rest_route=/wp-json/sure-triggers/v1/automation/motion,’ together with the payload worth: “type_event”: “create_user_if_not_exists.”
On weak installations, this silently creates new administrator accounts.
“It’s strongly really useful to replace your web site as quickly as potential in case you are utilizing the OttoKit plugin, and to evaluation your logs and web site settings for these indicators of assault and compromise,” suggests Patchstack.
That is the second crucial severity flaw in OttoKit that hackers have exploited since April 2025, with the earlier being one other authentication bypass bug tracked as CVE-2025-3102.
Exploitation of that flaw began on the identical day of disclosure, with menace actors making an attempt to create rogue administrator accounts with randomized usernames, passwords, and electronic mail addresses, indicating automated makes an attempt.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the right way to defend in opposition to them.
