#1 Middle East & Africa Trusted Cybersecurity News & Magazine |

30 C
Dubai
Sunday, June 1, 2025
Subscribe
HomeTechnology & TelecomCritical Privilege Escalation Vulnerability in OttoKit (Formerly SureTriggers) Under Active Exploitation
Technology & TelecomVulnerability ManagementWorldwide

Critical Privilege Escalation Vulnerability in OttoKit (Formerly SureTriggers) Under Active Exploitation

By: Ouaissou DEMBELE

Date:

Related stories

spot_imgspot_imgspot_imgspot_img

On May 2, 2025, the Wordfence Threat Intelligence team added a new critical vulnerability to the Wordfence Intelligence vulnerability database in the OttoKit: All-in-One Automation Platform (formerly SureTriggers) plugin. This vulnerability, publicly disclosed by a third-party CNA on April 30, 2025, allows unauthenticated attackers to gain administrative-level access to vulnerable WordPress sites under certain conditions. The vulnerability is tracked as CVE-2025-27007 and has a CVSS score of 9.8 (Critical).

The OttoKit plugin is designed to automate workflows across various applications and services. However, a flaw in the plugin’s authentication mechanism has exposed numerous WordPress sites to potential compromise. (Wordfence)

Vulnerability Details

  • Plugin Name: OttoKit: All-in-One Automation Platform (formerly SureTriggers)
  • Plugin Slug: suretriggers
  • Affected Versions: <= 1.0.82
  • CVE ID: CVE-2025-27007
    • CVSS Score: 9.8 (Critical)
  • Fully Patched Version: 1.0.83
  • Researcher: Denver Jackson

The vulnerability stems from the create_wp_connection() function, which lacks proper capability checks and insufficiently verifies user authentication credentials. This oversight allows unauthenticated attackers to establish a connection, potentially leading to privilege escalation.

Exploitation is possible in two scenarios:

  1. If a site has never enabled or used an application password, and OttoKit/SureTriggers has never been connected to the website using an application password.
  2. If an attacker has authenticated access to a site and can generate a valid application password.

Active Exploitation

Wordfence’s records indicate that attackers may have started actively exploiting this vulnerability as early as May 2, 2025, with mass exploitation beginning on May 4, 2025. The Wordfence Firewall has already blocked over 2,400 exploit attempts targeting this vulnerability.

All Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule to protect against any exploits targeting this vulnerability on May 2, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on June 1, 2025.

The developer of OttoKit worked with the WordPress.org team to perform a forced update, so the majority of sites should already be running the patched version of the plugin, 1.0.83. Site administrators are strongly advised to verify that their site is running the latest patched version and update it without delay if it is not, as this vulnerability is under active exploitation.

Indicators of Compromise

Attackers are exploiting the initial connection vulnerability to establish a connection with the site and then create an administrative user account through the automation/action endpoint. They are also attempting to exploit CVE-2025-3102, indicating that they are targeting multiple vulnerabilities to compromise sites.

Exploits targeting CVE-2025-3102 can be distinguished by the presence of an empty St-Authorization header in the request.

Example Initial Request

POST /wp-json/sure-triggers/v1/connection/create-wp-connection HTTP/1.1
Host: [redacted]
User-Agent: OttoKit
Content-Type: application/json

{
  "sure-triggers-access-key": "[redacted]",
  "wp-password": "[redacted]",
  "connection_status": "ok",
  "wp-username": "wp_owsr",
  "connected_email": "[redacted]"
}

Example Admin Creation Request

POST /wp-json/sure-triggers/v1/automation/action HTTP/1.1
Host: [redacted]
User-Agent: OttoKit
Content-Type: application/x-www-form-urlencoded

selected_options[user_name]=wp_domc&
selected_options[user_email]=[redacted]&
selected_options[password]=[redacted]&
selected_options[role]=administrator&
aintegration=WordPress&
type_event=create_user_if_not_exists

Top IPs Targeting the Vulnerability

The following IP addresses have been identified as actively targeting the vulnerable endpoints:

  • 41.216.188.205 – Over 870 blocked requests
  • 144.91.119.115 – Over 690 blocked requests
  • 194.87.29.57 – Over 500 blocked requests
  • 2a0b:4141:820:1f4::2 – Over 200 blocked requests
  • 196.251.69.118 – Over 25 blocked requests

Additionally, IP 107.189.29.12 has made over 139,000 blocked requests targeting the automation/action endpoint, indicating exploitation of both CVE-2025-3102 and CVE-2025-27007.

Administrative User Accounts

Attackers are creating administrative user accounts with specific username patterns:

  • Usernames prefixed with wp_ followed by four random letters (e.g., wp_pfuq)
  • Usernames prefixed with xtw18387 followed by random characters (e.g., xtw18387e9db)
  • Usernames prefixed with admin_ followed by random alphanumeric characters (e.g., admin_iw0ag5sx)
  • Usernames prefixed with test_ followed by random alphanumeric characters (e.g., test_iajt388i)

Recommendations

To mitigate the risk of exploitation, site administrators should take the following actions:

  1. Update the Plugin: Ensure that OttoKit is updated to version 1.0.83 or later.
  2. Verify User Accounts: Check for unauthorized administrative user accounts, especially those matching the patterns mentioned above.
  3. Review Logs: Examine server logs for requests to the following endpoints:
    • /wp-json/sure-triggers/v1/connection/create-wp-connection
    • /wp-json/sure-triggers/v1/automation/action
  4. Implement Application Passwords: Use application passwords for all integrations to prevent unauthorized access.
  5. Install Security Plugins: Utilize security plugins like Wordfence to provide additional protection and monitoring.
  6. Regular Backups: Maintain regular backups of your website to facilitate recovery in case of compromise.
  7. Monitor for Updates: Stay informed about plugin updates and security advisories.
  8. Limit Access: Restrict access to the WordPress admin panel to trusted IP addresses where possible.
  9. Educate Users: Train users on security best practices to prevent social engineering attacks.
  10. Engage Security Services: Consider using services like Wordfence Care or Wordfence Response for incident response and site cleaning.

Conclusion

The critical vulnerability in the OttoKit plugin underscores the importance of proactive security measures and timely updates. With active exploitation underway, it is imperative for site administrators to act swiftly to secure their websites. Regular monitoring, adherence to security best practices, and the use of reputable security tools can significantly reduce the risk of compromise.

For further assistance, Wordfence offers Incident Response services via Wordfence Care and Wordfence Response, providing hands-on support and rapid response times to address security incidents.

Ouaissou DEMBELE
Ouaissou DEMBELEhttp://cybercory.com
Ouaissou DEMBELE is a seasoned cybersecurity expert with over 12 years of experience, specializing in purple teaming, governance, risk management, and compliance (GRC). He currently serves as Co-founder & Group CEO of Sainttly Group, a UAE-based conglomerate comprising Saintynet Cybersecurity, Cybercory.com, and CISO Paradise. At Saintynet, where he also acts as General Manager, Ouaissou leads the company’s cybersecurity vision—developing long-term strategies, ensuring regulatory compliance, and guiding clients in identifying and mitigating evolving threats. As CEO, his mission is to empower organizations with resilient, future-ready cybersecurity frameworks while driving innovation, trust, and strategic value across Sainttly Group’s divisions. Before founding Saintynet, Ouaissou held various consulting roles across the MEA region, collaborating with global organizations on security architecture, operations, and compliance programs. He is also an experienced speaker and trainer, frequently sharing his insights at industry conferences and professional events. Ouaissou holds and teaches multiple certifications, including CCNP Security, CEH, CISSP, CISM, CCSP, Security+, ITILv4, PMP, and ISO 27001, in addition to a Master’s Diploma in Network Security (2013). Through his deep expertise and leadership, Ouaissou plays a pivotal role at Cybercory.com as Editor-in-Chief, and remains a trusted advisor to organizations seeking to elevate their cybersecurity posture and resilience in an increasingly complex threat landscape.

Subscribe

- Never miss a story with notifications

- Gain full access to our premium content

- Browse free from up to 5 devices at once

Latest stories

spot_imgspot_imgspot_imgspot_img
Previous article
CISA Flags Critical Langflow Vulnerability: CVE-2025-3248 Added to Known Exploited Vulnerabilities Catalog (Daily CVE Reports)
Next article
Android Security Bulletin – May 2025: Critical Zero-Day Vulnerability CVE-2025-27363 Actively Exploited

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Cybercory Magazine

Cybercory.com serves as a platform for promoting, motivating, and educating its audience on cybersecurity matters, contributing to a more secure digital environment. Cybercory is a part of Sainttly Group.

Latest

Popular

Useful Links

Quick Links

© 2021-2025 cybercory.com, Sainttly Group. All Rights Reserved. Designed by digitalliums.com.