OttoKit is a popular automation/integration plugin for WordPress with more than 100,000 active installations; it enables users to connect their resources to third-party services and automate workflows.
On April 11, 2025, Patchstack experts became aware of another critical vulnerability in OttoKit. The issue was discovered and reported by independent security researcher Denver Jackson.
The security hole identified as CVE-2025-27007 enables attackers to gain administrative access using the plugin API. The exploitation is possible due to a logical error in the create_wp_connection function, which allows cybercriminals to bypass the authentication check if the application password isn’t set.
The vulnerability has been fixed on April 21, 2025 in OttoKit version 1.0.83: the developers added an additional validation of the access key used for the request.
According to Patchstack, exploitation of the bug commenced on May 5, 2025, some 90 minutes after the first publication about it.
Attackers exploit REST API endpoints by sending requests imitating legitimate integration attempts and use commands containing the create_wp_connection function and guessed or compromised admin logins, random passwords, and fake access keys and email addresses.
After the exploit has been successfully initialized, attackers make hits to the URLs / and ?rest_route=/ and pass payloads including the “type_event”: “create_user_if_not_exists” value. On vulnerable sites, this results in the creation of new admin accounts.
“It is strongly recommended to update your site as soon as possible if you are using the OttoKit plugin, and to review your logs and site settings for these indicators of attack and compromise,” – Patchstack.
It must be noted that that this is the second critical vulnerability in OttoKit discovered since April 2025. Attacks exploiting the CVE-2025-3102 authentication bypass vulnerability were reported in mid-April.
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →