OttoKit is a popular automation/integration plugin for WordPress with more than 100,000 active installations; it enables users to connect their resources to third-party services and automate workflows.
On April 11, 2025, Patchstack experts became aware of another critical vulnerability in OttoKit. The issue was discovered and reported by independent security researcher Denver Jackson.
The security hole identified as CVE-2025-27007 enables attackers to gain administrative access using the plugin API. The exploitation is possible due to a logical error in the create_wp_connection function, which allows cybercriminals to bypass the authentication check if the application password isn’t set.
The vulnerability has been fixed on April 21, 2025 in OttoKit version 1.0.83: the developers added an additional validation of the access key used for the request.
According to Patchstack, exploitation of the bug commenced on May 5, 2025, some 90 minutes after the first publication about it.
Attackers exploit REST API endpoints by sending requests imitating legitimate integration attempts and use commands containing the create_wp_connection function and guessed or compromised admin logins, random passwords, and fake access keys and email addresses.
After the exploit has been successfully initialized, attackers make hits to the URLs / and ?rest_route=/ and pass payloads including the “type_event”: “create_user_if_not_exists” value. On vulnerable sites, this results in the creation of new admin accounts.
“It is strongly recommended to update your site as soon as possible if you are using the OttoKit plugin, and to review your logs and site settings for these indicators of attack and compromise,” – Patchstack.
It must be noted that that this is the second critical vulnerability in OttoKit discovered since April 2025. Attacks exploiting the CVE-2025-3102 authentication bypass vulnerability were reported in mid-April.
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →