Cybersecurity researchers at Patchstack have uncovered a severe security vulnerability in the widely-used WordPress plugin OttoKit (formerly SureTriggers), potentially affecting over 100,000 active websites. The critical flaw enables unauthorized attackers to create administrator accounts on vulnerable WordPress installations, posing a significant risk to website security.
Understanding the Technical Impact
The vulnerability, tracked as CVE-2025-27007, stems from a logical error in the create_wp_connection function. This authentication bypass vulnerability becomes exploitable when application passwords aren’t properly configured, allowing malicious actors to circumvent security controls. OttoKit, which provides automation and third-party service integration capabilities, has become a prime target due to its extensive installation base.
Attack Vector Analysis
Threat actors are actively exploiting this vulnerability through the plugin’s REST API endpoints. The attack methodology involves sending specially crafted requests that simulate legitimate integration attempts, utilizing enumerated admin usernames, randomly generated passwords, and forged access tokens. Upon successful exploitation, attackers leverage additional API calls to establish unauthorized administrative access.
Detection and Indicators of Compromise
Security teams should monitor for suspicious requests targeting the /wp-json/sure-triggers/v1/automation/action endpoint and the rest_route parameter containing the payload signature “type_event”: “create_user_if_not_exists”. Regular log analysis is crucial for identifying potential compromise attempts.
Mitigation Strategies
The development team has addressed this vulnerability in OttoKit version 1.0.83 by implementing mandatory access key validation for incoming requests. Website administrators are strongly advised to implement the following security measures:
– Immediately upgrade to OttoKit version 1.0.83 or later
– Conduct comprehensive system log audits
– Review and verify all administrative user accounts
– Implement robust access control mechanisms
This security incident marks the second critical vulnerability discovered in OttoKit since April 2025, following the recently disclosed CVE-2025-3102. The recurring security issues emphasize the critical importance of maintaining robust WordPress security practices, including regular plugin updates, comprehensive security monitoring, and the implementation of defense-in-depth strategies. Website administrators should adopt a proactive approach to security management, incorporating automated update systems and continuous security monitoring to protect against emerging threats in the WordPress ecosystem.
