OttoKit WordPress plugin has a serious security flaw, thousands of users possibly affected

News
By published

It's the second major bug found in OttoKit this month

WordPress logo on mobile
(Image credit: Shutterstock)
  • The OttoKit plugin was vulnerable to a critical flaw that allows the creation of new admin accounts
  • It was patched in late April 2025, so users should update now
  • Threat actors are looking for exposed websites

OttoKit, a popular automation WordPress plugin, is vulnerable to a critical-severity flaw that allows threat actors to take over entire websites.

The bug is described as an incorrect privilege assignment flaw in Brainstorm Force that allows privilege escalation. It affects all older versions of the website builder plugin, up until version 1.0.83, which was released on April 21, 2025. It is tracked as CVE-2025-27007 and has a severity score of 9.8/10 (critical).

In theory, threat actors could send a crafted POST request to a vulnerable REST API endpoint exposed by OttoKit, containing automation data that mimics internal plugin logic. Due to missing validation, OttoKit would fail to properly authenticate the request, and since the automation logic runs with elevated privileges, the threat actors are ultimately allowed to create a new user account and assign it the administrator role.

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

​Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.

It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.

Preferred partner (What does this mean?)

View Deal

Chats leaked

OttoKit, formerly known as SureTriggers, is designed to connect websites with various third-party services and enable workflow automation without coding.

It supports integrations with platforms like WooCommerce, Mailchimp, Google Sheets, and CRMs, allowing users to run tasks such as sending emails, updating user roles, or syncing data across apps.

The plugin has more than 100,000 users, but most of them have applied the patch already. Still, security researchers Patchstack said they observed attacks in the wild, starting almost immediately after the flaw was publicly disclosed.

"It is strongly recommended to update your site as soon as possible if you are using the OttoKit plugin, and to review your logs and site settings for these indicators of attack and compromise," Patchstack said.

This is the second major vulnerability in OttoKit found this month, after CVE-2025-3102, another authentication bypass flaw, which was given a “high” severity score of 8.1/10.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.