Ethical Hacking News
Hackers have exploited a critical vulnerability in the OttoKit WordPress plugin, allowing them to create rogue admin accounts on targeted sites. This incident highlights the importance of staying up-to-date with security patches and maintaining vigilance against emerging threats.
The OttoKit WordPress plugin has been targeted by hackers due to a critical unauthenticated privilege escalation vulnerability. A recent exposé by Patchstack highlights the risk of exploitation, particularly when used in conjunction with third-party services and automation workflows. A patch was released on April 21, 2025, for OttoKit version 1.0.83 to add a validation check for the access key used in the request. Exploitation activity began roughly 90 minutes after public disclosure, targeting REST API endpoints with guessed or brute-forced administrator usernames and passwords. Successful exploitation leads to silently creating new administrator accounts on vulnerable installations. Regular updates are crucial in mitigating the risk of exploitation and protecting websites from falling prey to vulnerabilities.
In the ever-evolving landscape of cybersecurity threats, a recent exposé by Patchstack highlights the vulnerability of popular WordPress plugins to exploitation. Specifically, the critical unauthenticated privilege escalation vulnerability in the OttoKit WordPress plugin has been targeted by hackers, resulting in the creation of rogue admin accounts on compromised websites.
The OttoKit plugin, used in over 100,000 sites, provides users with the ability to connect their websites to third-party services and automate workflows. While this functionality offers numerous benefits for website administrators, it also presents a significant risk when exploited by malicious actors. In April 2025, researcher Denver Jackson discovered the vulnerability, tracked under the identifier CVE-2025-27007.
The flaw allows attackers to gain administrator access via the plugin's API by exploiting a logic error in the 'create_wp_connection' function. This bypasses authentication checks when application passwords aren't set, rendering the plugin's security measures ineffective. Patchstack promptly notified the vendor, and a patch was released on April 21, 2025, with OttiKit version 1.0.83, adding a validation check for the access key used in the request.
Despite this timely patch release, exploitation activity began roughly 90 minutes after public disclosure. Hackers attempted to exploit the vulnerability by targeting REST API endpoints, sending requests mimicking legitimate integration attempts, using 'create_wp_connection' with guessed or brute-forced administrator usernames, random passwords, and fake access keys and email addresses.
Upon successful initial exploitation, attackers issued follow-up API calls to '/wp-json/sure-triggers/v1/automation/action' and '?rest_route=/wp-json/sure-triggers/v1/automation/action,' including the payload value: "type_event": "create_user_if_not_exists." On vulnerable installations, this silently creates new administrator accounts. It is strongly recommended that users update their sites as soon as possible if they are using the OttoKit plugin and review their logs and site settings for these indicators of attack and compromise.
This incident marks the second critical severity flaw in OttoKit exploited by hackers since April 2025. The previous vulnerability, tracked as CVE-2025-3102, was also disclosed on the same day and involved automated attempts to create rogue administrator accounts with randomized usernames, passwords, and email addresses.
The importance of staying up-to-date with security patches cannot be overstated in this context. As highlighted by Patchstack, regular updates can significantly mitigate the risk of exploitation and protect websites from falling prey to such vulnerabilities. In light of this recent incident, it is imperative that website administrators prioritize their plugin updates and maintain a vigilant stance against emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Hacking-the-Unseen-How-Hackers-Exploited-a-Critical-Vulnerability-in-OttoKit-WordPress-Plugin-ehn.shtml
Published: Wed May 7 13:55:10 2025 by llama3.2 3B Q4_K_M
