OttoKit is a popular automation/integration plugin for WordPress with more than 100,000 active installations; it enables users to connect their resources to third-party services and automate workflows.
On April 11, 2025, Patchstack experts became aware of another critical vulnerability in OttoKit. The issue was discovered and reported by independent security researcher Denver Jackson.
The security hole identified as CVE-2025-27007 enables attackers to gain administrative access using the plugin API. The exploitation is possible due to a logical error in the create_wp_connection function, which allows cybercriminals to bypass the authentication check if the application password isn’t set.
The vulnerability has been fixed on April 21, 2025 in OttoKit version 1.0.83: the developers added an additional validation of the access key used for the request.
According to Patchstack, exploitation of the bug commenced on May 5, 2025, some 90 minutes after the first publication about it.
Attackers exploit REST API endpoints by sending requests imitating legitimate integration attempts and use commands containing the create_wp_connection function and guessed or compromised admin logins, random passwords, and fake access keys and email addresses.
After the exploit has been successfully initialized, attackers make hits to the URLs / and ?rest_route=/ and pass payloads including the “type_event”: “create_user_if_not_exists” value. On vulnerable sites, this results in the creation of new admin accounts.
“It is strongly recommended to update your site as soon as possible if you are using the OttoKit plugin, and to review your logs and site settings for these indicators of attack and compromise,” – Patchstack.
It must be noted that that this is the second critical vulnerability in OttoKit discovered since April 2025. Attacks exploiting the CVE-2025-3102 authentication bypass vulnerability were reported in mid-April.
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →