OttoKit is a popular automation/integration plugin for WordPress with more than 100,000 active installations; it enables users to connect their resources to third-party services and automate workflows.
On April 11, 2025, Patchstack experts became aware of another critical vulnerability in OttoKit. The issue was discovered and reported by independent security researcher Denver Jackson.
The security hole identified as CVE-2025-27007 enables attackers to gain administrative access using the plugin API. The exploitation is possible due to a logical error in the create_wp_connection function, which allows cybercriminals to bypass the authentication check if the application password isn’t set.
The vulnerability has been fixed on April 21, 2025 in OttoKit version 1.0.83: the developers added an additional validation of the access key used for the request.
According to Patchstack, exploitation of the bug commenced on May 5, 2025, some 90 minutes after the first publication about it.
Attackers exploit REST API endpoints by sending requests imitating legitimate integration attempts and use commands containing the create_wp_connection function and guessed or compromised admin logins, random passwords, and fake access keys and email addresses.
After the exploit has been successfully initialized, attackers make hits to the URLs / and ?rest_route=/ and pass payloads including the “type_event”: “create_user_if_not_exists” value. On vulnerable sites, this results in the creation of new admin accounts.
“It is strongly recommended to update your site as soon as possible if you are using the OttoKit plugin, and to review your logs and site settings for these indicators of attack and compromise,” – Patchstack.
It must be noted that that this is the second critical vulnerability in OttoKit discovered since April 2025. Attacks exploiting the CVE-2025-3102 authentication bypass vulnerability were reported in mid-April.
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →