Hackers are exploiting a critical unauthenticated privilege escalation vulnerability in the OttoKit WordPress plugin to create rogue admin accounts on targeted sites.
OttoKit (formerly SureTriggers) is a WordPress automation and integration plugin used in over 100,000 sites, allowing users to connect their websites to third-party services and automate workflows.
Patchstack received a report about a critical vulnerability in OttoKit on April 11, 2025, from researcher Denver Jackson.
The flaw, tracked under the identifier CVE-2025-27007, allows attackers to gain administrator access via the plugin’s API by exploiting a logic error in the ‘create_wp_connection’ function, bypassing authentication checks when application passwords aren’t set.
The vendor was informed the next day, and a patch was released on April 21, 2025, with OttiKit version 1.0.83, adding a validation check for the access key used in the request.
By April 24, 2025, most plugin users had been force-updated to the patched version.
Now exploited in attacks
Patchstack published its report on May 5, 2025, but a new update warns that exploitation activity started roughly 90 minutes after public disclosure.
Attackers attempted exploitation by targeting REST API endpoints, sending requests mimicking legitimate integration attempts, using ‘create_wp_connection’ with guessed or brute-forced administrator usernames, random passwords, and fake access keys and email addresses.
Once the initial exploit was successful, attackers issued follow-up API calls to ‘/wp-json/sure-triggers/v1/automation/action’ and ‘?rest_route=/wp-json/sure-triggers/v1/automation/action,’ including the payload value: “type_event”: “create_user_if_not_exists.”
On vulnerable installations, this silently creates new administrator accounts.
“It is strongly recommended to update your site as soon as possible if you are using the OttoKit plugin, and to review your logs and site settings for these indicators of attack and compromise,” suggests Patchstack.
This is the second critical severity flaw in OttoKit that hackers have exploited since April 2025, with the previous being another authentication bypass bug tracked as CVE-2025-3102.
Exploitation of that flaw started on the same day of disclosure, with threat actors attempting to create rogue administrator accounts with randomized usernames, passwords, and email addresses, indicating automated attempts.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
