SecurityWeek reports that WordPress websites using the widely adopted OttoKit plugin, formerly known as SureTriggers, have been subjected to attacks exploiting a critical vulnerability, tracked as CVE-2025-27007, which could result in unauthenticated site access.
Attackers could leverage the issue, which stems from OttoKit's 'create_wp_connection()' function, to facilitate privilege escalation in websites that have not activated or used an app password, a report from Defiant revealed. "[I]t appears that attackers are attempting to exploit the initial connection vulnerability to establish a connection with the site, and then subsequently use that to create an administrative user account through the automation/action endpoint," said Defiant. Such active exploitation of an OttoKit bug comes just weeks after the another flaw in the plugin, tracked as CVE-2025-3102, was abused by malicious actors for admin account creation and website hijacking activities. Both of the issues have already been addressed in OttoKit version 1.0.83, which should be immediately installed by site owners and admins.
Attackers could leverage the issue, which stems from OttoKit's 'create_wp_connection()' function, to facilitate privilege escalation in websites that have not activated or used an app password, a report from Defiant revealed. "[I]t appears that attackers are attempting to exploit the initial connection vulnerability to establish a connection with the site, and then subsequently use that to create an administrative user account through the automation/action endpoint," said Defiant. Such active exploitation of an OttoKit bug comes just weeks after the another flaw in the plugin, tracked as CVE-2025-3102, was abused by malicious actors for admin account creation and website hijacking activities. Both of the issues have already been addressed in OttoKit version 1.0.83, which should be immediately installed by site owners and admins.
