The exploitation of a second vulnerability in the OttoKit WordPress plugin has come to light, less than a month after threat actors were seen targeting a different bug to take over websites, WordPress security firm Defiant warns.
A plugin with more than 100,000 installations, OttoKit: All-in-One Automation Platform (formerly SureTriggers) provides site administrators with task automation options, allowing them to connect apps, websites, and other plugins.
In early April, attackers were seen exploiting CVE-2025-3102, a missing check issue impacting new and unconfigured OttoKit installations, to create new administrative accounts and take over vulnerable websites.
Now, Defiant warns of attacks targeting a fresh bug in the plugin, CVE-2025-27007 (CVSS score of 9.8), that could allow unauthenticated attackers to connect to impacted sites.
The security defect resides in the plugin’s ‘create_wp_connection()’ function, which fails to properly verify a user’s authentication, allowing attackers to elevate their privileges.
However, the successful exploitation of the vulnerability requires that the “site has never enabled or used an application password, and OttoKit/SureTriggers has never been connected to the website using an application password before,” Defiant explains.
“In this case, an attacker should be able to successfully exploit this vulnerability without any knowledge of a valid username,” the security firm notes.
Because a successful connection in some cases requires an application password, sites that have already connected to the plugin with an application password should not allow unauthenticated connections.
Defiant notes that an authenticated attacker who can generate an application password can exploit the bug at will. However, such level of access would likely open for the attacker other paths to exploit the compromised site.
“Currently, it appears that attackers are attempting to exploit the initial connection vulnerability to establish a connection with the site, and then subsequently use that to create an administrative user account through the automation/action endpoint,” Defiant notes.
The security firm has shared indicators of compromise (IoCs) to help site administrators hunt for signs of exploitation. It also warns that it continues to see attempts to exploit the previous OttoKit bug, CVE-2025-3102.
OttoKit version 1.0.83 contains patches for both vulnerabilities. Site owners and administrators are advised to update their installations as soon as possible.
Related: Threat Actors Deploy WordPress Malware in ‘mu-plugins’ Directory
Related: 8,000 New WordPress Vulnerabilities Reported in 2024
Related: Hunk Companion, WP Query Console Vulnerabilities Chained to Hack WordPress Sites
Related: Critical Vulnerabilities Found in Anti-Spam Plugin Used by 200,000 WordPress Sites
