OttoKit is a popular automation/integration plugin for WordPress with more than 100,000 active installations; it enables users to connect their resources to third-party services and automate workflows.
On April 11, 2025, Patchstack experts became aware of another critical vulnerability in OttoKit. The issue was discovered and reported by independent security researcher Denver Jackson.
The security hole identified as CVE-2025-27007 enables attackers to gain administrative access using the plugin API. The exploitation is possible due to a logical error in the create_wp_connection function, which allows cybercriminals to bypass the authentication check if the application password isn’t set.
The vulnerability has been fixed on April 21, 2025 in OttoKit version 1.0.83: the developers added an additional validation of the access key used for the request.
According to Patchstack, exploitation of the bug commenced on May 5, 2025, some 90 minutes after the first publication about it.
Attackers exploit REST API endpoints by sending requests imitating legitimate integration attempts and use commands containing the create_wp_connection function and guessed or compromised admin logins, random passwords, and fake access keys and email addresses.
After the exploit has been successfully initialized, attackers make hits to the URLs / and ?rest_route=/ and pass payloads including the “type_event”: “create_user_if_not_exists” value. On vulnerable sites, this results in the creation of new admin accounts.
“It is strongly recommended to update your site as soon as possible if you are using the OttoKit plugin, and to review your logs and site settings for these indicators of attack and compromise,” – Patchstack.
It must be noted that that this is the second critical vulnerability in OttoKit discovered since April 2025. Attacks exploiting the CVE-2025-3102 authentication bypass vulnerability were reported in mid-April.
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →