- The OttoKit plugin was vulnerable to a critical flaw that allows the creation of new admin accounts
- It was patched in late April 2025, so users should update now
- Threat actors are looking for exposed websites
OttoKit, a popular automation WordPress plugin, is vulnerable to a critical-severity flaw that allows threat actors to take over entire websites.
The bug is described as an incorrect privilege assignment flaw in Brainstorm Force that allows privilege escalation. It affects all older versions of the website builder plugin, up until version 1.0.83, which was released on April 21, 2025. It is tracked as CVE-2025-27007 and has a severity score of 9.8/10 (critical).
In theory, threat actors could send a crafted POST request to a vulnerable REST API endpoint exposed by OttoKit, containing automation data that mimics internal plugin logic. Due to missing validation, OttoKit would fail to properly authenticate the request, and since the automation logic runs with elevated privileges, the threat actors are ultimately allowed to create a new user account and assign it the administrator role.
Chats leaked
OttoKit, formerly known as SureTriggers, is designed to connect websites with various third-party services and enable workflow automation without coding.
It supports integrations with platforms like WooCommerce, Mailchimp, Google Sheets, and CRMs, allowing users to run tasks such as sending emails, updating user roles, or syncing data across apps.
The plugin has more than 100,000 users, but most of them have applied the patch already. Still, security researchers Patchstack said they observed attacks in the wild, starting almost immediately after the flaw was publicly disclosed.
“It is strongly recommended to update your site as soon as possible if you are using the OttoKit plugin, and to review your logs and site settings for these indicators of attack and compromise,” Patchstack said.
This is the second major vulnerability in OttoKit found this month, after CVE-2025-3102, another authentication bypass flaw, which was given a “high” severity score of 8.1/10.
Via BleepingComputer
Leave a comment