Full Report
A second security flaw impacting the OttoKit (formerly SureTriggers) WordPress plugin has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-27007 (CVSS score: 9.8), is a privilege escalation bug impacting all versions of the plugin prior to and including version 1.0.82. "This is due to the create_wp_connection() function missing a capability check and
Analysis Summary
# Vulnerability: OttoKit (SureTriggers) WordPress Plugin Critical Privilege Escalation
## CVE Details
- CVE ID: CVE-2025-27007
- CVSS Score: 9.8 (Critical)
- CWE: (Not explicitly detailed in the source, generally relates to Authorization Bypass/Improper Access Control)
## Affected Systems
- Products: OttoKit WordPress Plugin (formerly SureTriggers)
- Versions: All versions prior to and including 1.0.82
- Configurations: Exploitable under specific conditions related to application password usage.
## Vulnerability Description
This vulnerability is an authentication bypass and subsequent privilege escalation flaw in the `create_wp_connection()` function within the OttoKit plugin. The function fails to perform a capability check and insufficiently verifies a user's authentication credentials, allowing an unauthenticated attacker in specific scenarios to establish a connection. This connection can then be leveraged to create an administrative user account via the automation/action endpoint.
The attack is most relevant when the site:
1. Has never enabled or used an application password, and OttoKit has never been connected using one previously.
OR
2. The attacker has authenticated access to the site and can generate a valid application password.
Note: This vulnerability is being actively exploited concurrently with CVE-2025-3102 (CVSS 8.1).
## Exploitation
- Status: Exploited in the wild (Active exploitation observed since at least May 2, 2025, with mass exploitation starting May 4, 2025)
- Complexity: Low (Unauthenticated access can lead to privilege escalation under the right conditions)
- Attack Vector: Network (Remote exploitation possible)
## Impact
- Confidentiality: High (Leads to administrative account creation)
- Integrity: High (Leads to administrative account creation)
- Availability: Medium (Though the primary goal is account takeover, successful large-scale compromise can affect site availability)
## Remediation
### Patches
- Update the OttoKit (SureTriggers) WordPress plugin to **version 1.0.83** or later.
### Workarounds
- No specific workarounds were detailed, however, immediate patching is strongly advised due to active exploitation observed against this and a related flaw.
## Detection
- Indicators of compromise include attempts to leverage the `create_wp_connection()` function without proper authorization, or the creation of unexpected administrative user accounts.
- Threat actors observed using the following IP addresses when scanning/targeting the vulnerabilities:
- 2a0b:4141:820:1f4::2
- 41.216.188.205
- 144.91.119.115
- 194.87.29.57
- 196.251.69.118
- 107.189.29.12
- 205.185.123.102
- 198.98.51.24
- 198.98.52.226
- 199.195.248.147
## References
- Vendor advisory (via Wordfence): hxxps://www.wordfence.com/blog/2025/05/recently-disclosed-suretriggers-critical-privilege-escalation-vulnerability-under-active-exploitation/
- Primary article: hxxps://thehackernews.com/2025/05/ottokit-wordpress-plugin-with-100k.html