dark
Hand-Picked Top-Read Stories
Trending Tags
2 minute read

OttoKit WordPress Plugin with 100K+ Installs Hit by Exploits Targeting Multiple Flaws

Avatar
info@thehackernews.com (The Hacker News)
May 7, 2025
A second security flaw impacting the OttoKit (formerly SureTriggers) WordPress plugin has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-27007 (CVSS score: 9.8), is a privilege escalation bug impacting all versions of the plugin prior to and including version 1.0.82.  “This is due to the create_wp_connection() function missing a capability check and
Total
0
Shares
0
0
0
[[{“value”:”

A second security flaw impacting the OttoKit (formerly SureTriggers) WordPress plugin has come under active exploitation in the wild.

The vulnerability, tracked as CVE-2025-27007 (CVSS score: 9.8), is a privilege escalation bug impacting all versions of the plugin prior to and including version 1.0.82.

“This is due to the create_wp_connection() function missing a capability check and insufficiently verifying a user’s authentication credentials,” Wordfence said. “This makes it possible for unauthenticated attackers to establish a connection, which ultimately can make privilege escalation possible.”

That said, the vulnerability is exploitable only in two possible scenarios –

When a site has never enabled or used an application password, and OttoKit has never been connected to the website using an application password before
When an attacker has authenticated access to a site and can generate a valid application password

Wordfence revealed that it observed the threat actors attempting to exploit the initial connection vulnerability to establish a connection with the site, followed by using it to create an administrative user account via the automation/action endpoint.

Furthermore, the attack attempts simultaneously aim for CVE-2025-3102 (CVSS score: 8.1), another flaw in the same plugin that has also been exploited in the wild since last month.

This has raised the possibility that the threat actors are opportunistically scanning WordPress installations to see if they are susceptible to either of the two flaws. The IP addresses that have been observed targeting the vulnerabilities are listed below –

2a0b:4141:820:1f4::2
41.216.188.205
144.91.119.115
194.87.29.57
196.251.69.118
107.189.29.12
205.185.123.102
198.98.51.24
198.98.52.226
199.195.248.147

Given that the plugin has over 100,000 active installations, it’s essential that users move quickly to apply the latest patches (version 1.0.83).

“Attackers may have started actively targeting this vulnerability as early as May 2, 2025 with mass exploitation starting on May 4, 2025,” Wordfence said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Share 0
Previous Post

SysAid Patches 4 Critical Flaws Enabling Pre-Auth RCE in On-Premise Version

May 7, 2025
Next Post

Europol Shuts Down Six DDoS-for-Hire Services Used in Global Attacks

May 7, 2025
Related Posts
3 min

eSIM Vulnerability in Kigen’s eUICC Cards Exposes Billions of IoT Devices to Malicious Attacks

Cybersecurity researchers have discovered a new hacking technique that exploits weaknesses in the eSIM technology used in modern smartphones, exposing users to severe risks. The issues impact the Kigen eUICC card. According to the Irish company's website, more than two billion SIMs in IoT devices have been enabled as of December 2020. The findings come from Security Explorations, a research lab
Avatar
info@thehackernews.com (The Hacker News)
July 14, 2025
Read More
6 min

Why NHIs Are Security’s Most Dangerous Blind Spot

When we talk about identity in cybersecurity, most people think of usernames, passwords, and the occasional MFA prompt. But lurking beneath the surface is a growing threat that does not involve human credentials at all, as we witness the exponential growth of Non-Human Identities (NHIs).  At the top of mind when NHIs are mentioned, most security teams immediately think of Service Accounts.
Avatar
info@thehackernews.com (The Hacker News)
April 25, 2025
Read More