New Vulnerability in OttoKit WordPress Plugin Under Active Exploitation
A serious security vulnerability affecting the OttoKit WordPress plugin (formerly known as SureTriggers) has triggered active exploitation in the wild. Tracked as CVE-2025-27007, this critical privilege escalation flaw holds a CVSS score of 9.8 and affects all versions of the plugin prior to and including version 1.0.82.
The root cause of this vulnerability lies in the create_wp_connection() function, which fails to implement necessary capability checks and inadequately verifies user authentication credentials. Consequently, this oversight allows unauthenticated attackers to establish connections with vulnerable sites, opening the door to potential privilege escalation.
However, exploitation of this vulnerability hinges upon two specific scenarios. The first occurs when a site has never enabled or utilized an application password and has never connected the OttoKit plugin to the website using such a password. The second scenarios arise when an attacker gains authenticated access to the site and can generate a valid application password. Recent observations by Wordfence revealed that threat actors have been attempting to exploit this initial connection vulnerability to establish links with websites, subsequently using these connections to create administrative user accounts via the automation/action endpoint.
Further complicating matters, attackers are also targeting another vulnerability in the same plugin, identified as CVE-2025-3102, with a CVSS score of 8.1. Exploit attempts for this flaw have been noted in the wild since last month, suggesting a coordinated scanning effort by adversaries to identify susceptible WordPress installations.
Currently, several IP addresses have been linked to these exploitation attempts, indicating a widespread effort to compromise the vulnerable systems. Given that the OttoKit plugin is actively used in over 100,000 installations, it is imperative that users promptly apply the latest patches (version 1.0.83) to mitigate risks associated with these vulnerabilities.
Wordfence reported that attack attempts may have commenced as early as May 2, 2025, with widespread exploitation occurring two days later, indicating an urgent need for vigilance among business owners utilizing the affected plugin.
In a separate advisory, Patchstack revealed that exploitation attempts targeting CVE-2025-27007 occurred just 91 minutes after its public disclosure. This vulnerability is attributed to a logic error that mishandles responses from the wp_authenticate_application_password function in WordPress, allowing attackers full control over the website via the OttoKit plugin’s API.
In response to the vulnerabilities, the OttoKit team issued a statement indicating that they acted swiftly to address the identified issues and found no evidence of active exploitation among their users. They confirmed that they had successfully deployed a patch for CVE-2025-27007 in collaboration with WordPress and hosting providers, effectively averting significant impact.
For business owners, understanding the potential tactics employed in these attacks is crucial. The exploitation of this vulnerability clearly aligns with initial access and privilege escalation techniques outlined in the MITRE ATT&CK framework, highlighting the need for continuous monitoring and proactive security measures. As the cybersecurity landscape evolves, remaining informed about emerging threats and applying timely updates is essential for safeguarding systems against malicious actors.
