On April 30, 2025, a critical security vulnerability was publicly disclosed in the OttoKit: All-in-One Automation Platform (formerly SureTriggers) WordPress plugin. The flaw allows attackers to gain unauthorized administrative access to WordPress sites under specific conditions, and active exploitation has already begun.
What’s the Risk?
The vulnerability, tracked as CVE-2025-27007, enables two main attack scenarios:
- Unauthenticated attackers can gain administrative privileges on sites that have never used an application password or never connected OttoKit/SureTriggers using one.
- Authenticated attackers can abuse the plugin if they have valid credentials and generate an application password.
This vulnerability is caused by missing capability checks and insufficient authentication in the plugin’s create_wp_connection() function, which allows privilege escalation.
Security researcher Denver Jackson discovered and responsibly disclosed the vulnerability.
Exploitation Timeline
- April 30, 2025: Vulnerability publicly disclosed.
- May 2, 2025: Initial signs of targeted exploitation observed.
- May 4, 2025: Mass exploitation efforts began, with thousands of attack attempts logged.
Patch and Update Status
A patched version of the plugin, 1.0.83, has been released. The developer coordinated with the WordPress.org team to issue a forced update, so most sites should now run the secured version.
Administrators should verify that their site is using version 1.0.83 or later. If not, update the plugin immediately.
Vulnerability Overview
- Plugin: OttoKit: All-in-One Automation Platform (formerly SureTriggers)
- Vulnerable Versions: All versions up to and including 1.0.82
- CVE ID: CVE-2025-27007
- Severity: 9.8 (Critical)
- Patched Version: 1.0.83
- Vector: Missing capability checks and insufficient authentication validation in the create_wp_connection() function
Exploitation Details
Attackers abuse the vulnerable REST API endpoint to establish a connection with the plugin, bypass access controls, and then execute actions to create new administrative users. This allows complete takeover of affected WordPress installations.
In some campaigns, attackers also exploit CVE-2025-3102, targeting the automation endpoint as a secondary vector.
Exploit Endpoints Commonly Used
- /wp-json/sure-triggers/v1/connection/create-wp-connection
- /wp-json/sure-triggers/v1/automation/action
Indicators of Compromise
Attackers use automated payloads to exploit the vulnerability and create admin users with identifiable naming patterns. Reviewing your site’s access logs and user list may help identify a compromise.
Suspicious Usernames Created
- Prefix: wp_ + 4 random letters (e.g. wp_pfuq)
- Prefix: xtw18387 + 8-character suffix (e.g. xtw18387cc91)
- Prefix: admin_ + 8 alphanumeric characters (e.g. admin_o1etqaj6)
- Prefix: test_ + 8 alphanumeric characters (e.g. test_z0vrl03m)
Notable Attacker IPs
Several IP addresses have been observed in large-scale exploitation attempts. These include:
- 41.216.188.205
- 144.91.119.115
- 194.87.29.57, 2a0b:4141:820:1f4::2, 196.251.69.118
- 107.189.29.12
- 205.185.123.102, 198.98.51.24, 198.98.52.226, 199.195.248.147
Access Log Review
Check your logs for the following indicators of activity:
- Requests to /wp-json/sure-triggers/v1/connection/create-wp-connection
- Requests to /wp-json/sure-triggers/v1/automation/action
- Admin user account creation events tied to unknown IPs or the above naming patterns
Recommendations
- Immediately verify that OttoKit/SureTriggers is updated to version 1.0.83 or later.
- Audit your site for suspicious new administrator accounts.
- Review access logs for requests to the vulnerable endpoints.
- Disable or remove the plugin if it’s not in use or cannot be updated.
Conclusion
This vulnerability represents a serious threat to WordPress site integrity. Attackers are actively exploiting it to take control of vulnerable sites by establishing connections through OttoKit and creating administrative accounts. While many installations have been automatically updated, manual verification is essential. Administrators should update, audit, and monitor their sites without delay.