Hackers exploit OttoKit WordPress plugin flaw to add admin accounts

Hackers are exploiting a critical unauthenticated privilege escalation vulnerability in the OttoKit WordPress plugin to create rogue admin accounts on targeted sites. OttoKit (formerly SureTriggers) is a WordPress automation and integration plugin used in over 100,000 sites, allowing users to connect their websites to third-party services and automate workflows. Patchstack received a report about a critical vulnerability in OttoKit on April 11, 2025, from researcher Denver Jackson. The flaw, tracked under the identifier CVE-2025-27007, allows attackers to gain administrator access via the plugin's API by exploiting a logic error in the 'create_wp_connection' function, bypassing authentication checks when application passwords aren't set. The vendor was informed the next day, and a patch was released on April 21, 2025, with OttiKit version 1.0.83, adding a validation check for the access key used in the request. By April 24, 2025, most plugin users had been force-updated to the pat ... Read full article.