A critical-severity vulnerability in the OttoKit WordPress plugin is being actively exploited by threat actors. This vulnerability allows attackers to gain administrative privileges on affected sites, compromising their security. The plugin, which has more than 100,000 installations, enables site administrators to automate tasks and connect with other apps and plugins. This exploitation follows a previous attack targeting another vulnerability in OttoKit, CVE-2025-3102, which was discovered in early April.
The new vulnerability, CVE-2025-27007, has a CVSS score of 9.8 and is being exploited to gain unauthorized access. The defect lies in the plugin’s “create_wp_connection()” function, which improperly handles user authentication. This flaw allows attackers to elevate their privileges, even if they don’t know a valid username. The vulnerability can only be exploited if the site has never used an application password or connected OttoKit to the website.
Once the vulnerability is exploited, attackers can bypass authentication and connect to impacted sites without needing a valid username. However, the flaw requires that no previous connection has been established using an application password. Attackers may use this initial access to create administrative user accounts, further compromising the site. Additionally, an attacker with an authenticated connection could use the vulnerability to exploit other parts of the site.
To mitigate the risks, Defiant recommends that administrators update to OttoKit version 1.0.83, which includes patches for both CVE-2025-27007 and the earlier CVE-2025-3102. Site owners are urged to apply the update immediately to protect their websites from ongoing attacks. Defiant also shared indicators of compromise (IoCs) to assist administrators in detecting potential exploitation.
Reference:
