A newly discovered critical vulnerability in the OttoKit plugin is putting thousands of WordPress sites at risk—just weeks after a separate bug in the same plugin was exploited to hijack websites. Security researchers are urging immediate action.
OttoKit, formerly known as SureTriggers, is a popular automation plugin used by more than 100,000 WordPress installations. It enables users to streamline workflows by linking websites, apps, and other plugins. But now, it’s become a growing attack vector for cybercriminals.
New Critical Flaw Enables Admin Account Takeover
According to Defiant, the cybersecurity firm behind Wordfence, a second serious vulnerability—tracked as CVE-2025-27007 with a CVSS severity score of 9.8—is being actively targeted. This flaw allows unauthenticated attackers to remotely connect to a vulnerable site and elevate their privileges, potentially gaining full administrative access.
The core issue lies in the plugin’s create_wp_connection() function, which fails to properly check if the request is coming from an authenticated user. That means attackers can slip through without needing valid login credentials—but only under specific conditions.
To be vulnerable, a site must:
- Never have enabled or used an application password
- Never have previously connected OttoKit (or SureTriggers) using an application password
If those two conditions are met, an attacker can exploit the flaw and create an admin user through OttoKit’s automation features. Sites that have already used application passwords remain shielded from unauthenticated attacks—but they’re still at risk from insiders or authenticated users abusing their access.
Exploitation Already in the Wild
Defiant warns that attackers have already begun exploiting this second OttoKit flaw, just weeks after they used another vulnerability—CVE-2025-3102—to hijack unconfigured WordPress installs. In those attacks, threat actors also created admin accounts and silently took over websites.
The new CVE-2025-27007 flaw is now being used in tandem with the earlier bug, forming a two-step attack strategy. First, hackers use the connection exploit to access the site. Then, they trigger the automation endpoint to generate a rogue admin account.
What Site Owners Must Do Now
The fix is already available. OttoKit’s developers have released version 1.0.83, which patches both critical bugs. All WordPress site owners and administrators using OttoKit are strongly advised to update immediately.
Additionally, Defiant has published Indicators of Compromise (IoCs) to help security teams detect and respond to attacks. Admins should:
- Check for unauthorized admin users
- Review OttoKit connections
- Examine recent automation endpoint logs
- Ensure application passwords are enabled and in use
Don’t Ignore the Ongoing Threat
Even as this new exploit spreads, Defiant continues to see attempts targeting the original CVE-2025-3102 vulnerability. That means any unpatched WordPress site running OttoKit could be exposed to multiple attack methods—both old and new.
The situation underscores a growing risk for WordPress websites relying on third-party automation tools. Insecure plugin configurations and overlooked patches are increasingly being used as a backdoor by cybercriminals.
