Hackers are actively exploiting a critical vulnerability in the OttoKit WordPress plugin, allowing them to create rogue administrator accounts on targeted websites.
OttoKit, previously known as SureTriggers, is used on over 100,000 websites to automate workflows and connect to third-party services.
The vulnerability, identified as CVE-2025-27007, was reported by researcher Denver Jackson to Patchstack on April 11, 2025. It stems from a logic error in the ‘create_wp_connection’ function, which allows attackers to bypass authentication checks when application passwords aren’t set.
A patch was quickly released on April 21, 2025, to fix the issue, but exploitation began shortly after the flaw was publicly disclosed. Attackers are targeting the plugin’s REST API endpoints and sending requests that mimic legitimate integration attempts, using brute-forced or guessed admin usernames and fake access keys. Once successful, attackers can silently create new administrator accounts on vulnerable sites, allowing them to take control of the affected systems.
Patchstack has urged all OttoKit users to update their plugin immediately and review site logs for signs of compromise.
