May 7, 2025 By Bill Toulas
Hackers are exploiting a critical unauthenticated privilege escalation vulnerability in the OttoKit WordPress plugin to create rogue admin accounts on targeted sites.
OttoKit (formerly SureTriggers) is a WordPress automation and integration plugin used in over 100,000 sites, allowing users to connect their websites to third-party services and automate workflows.
Patchstack received a report about a critical vulnerability in OttoKit on April 11, 2025, from researcher Denver Jackson.
The flaw, tracked under the identifier CVE-2025-27007, allows attackers to gain administrator access via the plugin's API by exploiting a logic error in the 'create_wp_connection' function, bypassing authentication checks when application passwords aren't set.
The vendor was informed the next day, and a patch was released on April 21, 2025, with OttiKit version 1.0.83, adding a validation check for the access key used in the request.
By April 24, 2025, most plugin users had been force-updated to the patched version.
