Attackers are actively exploiting the bug to gain unauthorized access to vulnerable websites. OttoKit, previously known as SureTriggers, is an automation tool used by over 100,000 WordPress sites. It enables administrators to automate tasks and connect various apps, websites, and plugins.
In early April, threat actors began targeting a flaw tracked as CVE-2025-3102, which affected new and unconfigured OttoKit installations. That issue allowed attackers to create admin accounts and control affected sites.
Now, a separate vulnerability, CVE-2025-27007, has come to light. With a critical CVSS score of 9.8, this newly discovered bug resides in the plugin’s create_wp_connection() function, failing to properly check user authentication. This flaw allows unauthenticated users to elevate privileges and potentially take over a site.
Defiant explains that the exploit only works if the site has never enabled or used an application password with OttoKit. This exploit route is blocked if the plugin was previously connected using an application password.
“In such cases, attackers can exploit the flaw without needing a valid username,” Defiant notes. Authenticated attackers who can generate an application password can also exploit the vulnerability directly.
Defiant reports that attackers are currently attempting to establish a connection via this flaw, which they then use to create administrative user accounts through the plugin’s automation interface.
The company has released indicators of compromise (IoCs) to assist site administrators in detecting signs of exploitation. It also warns that attempts to exploit the previously disclosed vulnerability, CVE-2025-3102, remain ongoing.
