OttoKit WordPress Plugin Exposed: 100K+ Installations Targeted by Exploits Addressing Multiple Vulnerabilities
A significant security vulnerability has been identified in the OttoKit (formerly SureTriggers) WordPress plugin, which is currently being actively exploited. This vulnerability, classified as CVE-2025-27007 with a CVSS score of 9.8, is a privilege escalation flaw that affects all plugin versions up to and including 1.0.82.
The core issue arises from the createwpconnection() function, which lacks a capability check and inadequately verifies user authentication credentials. As a result, unauthenticated attackers can establish connections to the site, potentially leading to privilege escalation.
Exploitation of this vulnerability hinges on two specific conditions:
– The site must not have ever enabled or utilized an application password, and OttoKit should not have been previously connected using an application password.
– An attacker must possess authenticated access to the site, allowing them to generate a valid application password.
Threat actors have been observed attempting to exploit this initial connection vulnerability to gain unauthorized access and subsequently create administrative user accounts through the automation/action endpoint.
Furthermore, the attackers appear to be targeting another vulnerability, CVE-2025-3102 (CVSS score: 8.1), within the same plugin. This indicates a potentially coordinated effort to scan WordPress installations for vulnerability exploits. The following IP addresses have been identified as active participants in this malicious activity:
– 2a0b:4141:820:1f4::2
– 41.216.188.205
– 144.91.119.115
– 194.87.29.57
– 196.251.69.118
– 107.189.29.12
– 205.185.123.102
– 198.98.51.24
– 198.98.52.226
– 199.195.248.147
Given that the plugin has over 100,000 active installations, it is critical for users to promptly apply the latest patches, found in version 1.0.83. Reports suggest that exploitation attempts began as early as May 2, 2025, with mass exploitation activities commencing on May 4, 2025.
An independent advisory from Patchstack indicated they detected exploitation attempts merely 91 minutes after the vulnerability was made public. According to security researcher Chazz Wolcott, this vulnerability resulted from a logic error in the plugin that mishandled responses from the wpauthenticateapplication_password function, alongside insufficient validation of user-provided access tokens. Consequently, unauthorized attackers could gain full control of the website via the OttoKit plugin’s API, including the ability to create additional Administrator-level accounts, particularly on sites where an application password had not been established by the administrator.
Russian hackers have successfully circumvented Google’s multi-factor authentication (MFA) in Gmail to execute targeted attacks. This finding comes from security…
The U.S. Department of Homeland Security (DHS) has issued a warning regarding the increasing risks of cyberattacks from Iranian-backed hacking…
Thousands of personal records linked to athletes and attendees of the Saudi Games have been compromised due to a cyber-attack…
Recent reports have emerged regarding a significant breach, touted as the “mother of all breaches,” which quickly garnered extensive media…
Cybersecurity researchers have identified two significant local privilege escalation (LPE) vulnerabilities that could potentially allow unauthorized access to root privileges…
The first half of 2025 has witnessed the decline and fall of multiple previously dominant ransomware groups such as LockBit,…
OpenAI is set to release an update for ChatGPT that will activate the new o3 Pro model, which boasts enhanced…
Microsoft has released the KB5058481 preview cumulative update for Windows 10 22H2, which introduces several enhancements, including the restoration of…
Recent discoveries have identified two critical vulnerabilities in the open-source forum software vBulletin, one of which is confirmed to be…