A newly disclosed critical vulnerability in the popular OttoKit WordPress plugin—with over 100,000 active installations—has placed countless websites at risk of full compromise. Discovered by Denver Jackson and disclosed through the Patchstack Zero Day bug bounty program, this severe security issue (tracked as CVE-2025-27007, CVSS 9.8) was actively exploited within one hour of disclosure.
“The OttoKit plugin suffered from an unauthenticated Privilege Escalation vulnerability,” Patchstack explains. “This vulnerability could lead to an attacker obtaining full control of the website… including the ability to create additional Administrator-level user accounts.”
Developed by Brainstorm Force, OttoKit is an automation/integration plugin that allows WordPress sites to connect with third-party tools and automate tasks across platforms. It is widely used across marketing, sales, and e-commerce environments for streamlined workflow management.
The flaw lies in the create_wp_connection function, accessible via the plugin’s REST API endpoint: /wp-json/sure-triggers/v1/connection/create-wp-connection.
Due to a logic error in processing responses from the wp_authenticate_application_password function and insufficient token validation, attackers only need to know the administrator’s username to exploit the flaw. If no application password is set by the admin, a malicious user can bypass authentication entirely.
“Any user with knowledge of the administrator’s username is able to create this connection request,” the report warns.
Patchstack notes that exploitation began within an hour of public disclosure. Websites running OttoKit should urgently inspect logs for:
- Requests to:
- /wp-json/sure-triggers/v1/connection/create-wp-connection
- /wp-json/sure-triggers/v1/automation/action
- Payloads containing:
- “type_event”: “create_user_if_not_exists”
- New administrator accounts suddenly appearing
What You Should Do
- Update to OttoKit version 1.0.83 or later, which contains the fix
- Review your access logs for suspicious REST API requests
- Audit user accounts for unexpected administrator entries
Related Posts:
???? Support SecurityOnline.info
If this article helped you stay informed, please consider supporting us below.
