Full Report
Hackers are exploiting a critical unauthenticated privilege escalation vulnerability in the OttoKit WordPress plugin to create rogue admin accounts on targeted sites. [...]
Analysis Summary
# Vulnerability: OttoKit WordPress Plugin Authentication Bypass Leading to Admin Account Creation
## CVE Details
- CVE ID: Not explicitly provided in the text for this specific vulnerability, though a related one (CVE-2025-3102) is mentioned.
- CVSS Score: Not explicitly provided, but the severity is implied as "critical" due to active exploitation and the outcome (admin creation).
- CWE: Likely related to Insecure Direct Object Reference (IDOR) or Authentication Bypass weakness, based on function exploitation.
## Affected Systems
- Products: OttoKit WordPress Plugin (formerly SureTriggers)
- Versions: Prior to 1.0.83
- Configurations: Exploitable when application passwords are not set, allowing an unauthenticated attacker to leverage the `create_wp_connection` function.
## Vulnerability Description
The vulnerability resides in the OttoKit WordPress plugin, specifically within the `create_wp_connection` function. This function allows an unauthenticated attacker to bypass existing authentication checks (especially when application passwords are not configured) by sending specially crafted requests that mimic legitimate integration attempts. Successful exploitation allows the attacker to subsequently use API calls targeting the `/wp-json/sure-triggers/v1/automation/action` endpoint with the payload `"type_event": "create_user_if_not_exists"` to silently create new administrator accounts on the vulnerable WordPress installation.
## Exploitation
- Status: Exploited in the wild (Active exploitation started shortly after public disclosure).
- Complexity: Low (Attackers attempt exploitation using guessed/brute-forced usernames, random passwords, and fake access keys).
- Attack Vector: Network (Via REST API endpoints).
## Impact
- Confidentiality: High (New admin accounts grant full access to site data).
- Integrity: High (Attackers gain administrative control to modify site content, code, and user data).
- Availability: High (Potential for site defacement, sabotage, or denial of service through administrative actions).
## Remediation
### Patches
- OttoKit version 1.0.83 (released April 21, 2025), which adds a validation check for the access key used in the request. (Note: Most users were force-updated by April 24, 2025.)
### Workarounds
- Review site logs and settings for indicators of compromise (IOCs).
- Ensure application passwords (if applicable to the environment) are configured, although the primary fix is updating the plugin.
## Detection
- **Indicators of Compromise:** Look for unusual API calls targeting REST API endpoints:
- Requests mimicking integration attempts using `create_wp_connection`.
- Subsequent API calls to `/wp-json/sure-triggers/v1/automation/action` or `?rest_route=/wp-json/sure-triggers/v1/automation/action` containing the payload `"type_event": "create_user_if_not_exists"`.
- Newly created, unknown administrator accounts on the WordPress site.
- **Detection methods and tools:** Review web server access logs and WordPress activity logs for the specific exploitation patterns noted above.
## References
- Vendor Advisory (via Patchstack): hXXps://patchstack.com/articles/additional-critical-ottokit-formerly-suretriggers-vulnerability-patched/
- Related CVE (Previous flaw): CVE-2025-3102