
The OttoKit plugin for WordPress—installed on over 100,000 websites—has come under widespread attack exploiting two vulnerabilities, one of which has been assigned a near-maximum severity rating. According to Wordfence, all plugin versions up to and including 1.0.82 are affected. The attacks have already begun and remain ongoing.
The critical vulnerability, tracked as CVE-2025-27007 and rated 9.8 on the CVSS scale, enables privilege escalation without prior authentication. The flaw lies in the create_wp_connection()
function, which fails to adequately validate user permissions or authenticate identities. This allows threat actors to establish a connection with the site and elevate their access rights to administrator level.
Two attack vectors are currently being exploited: one where application passwords have never been used on the site, and another where the attacker is already authenticated and capable of generating such a password. In some instances, adversaries create administrative accounts through a dedicated automated endpoint.
A second vulnerability, CVE-2025-3102—rated 8.1 CVSS—is also being actively exploited as of April. Experts report that malicious scanners are sweeping the web for sites vulnerable to either flaw and executing automated attacks. Involved IP addresses include those originating from both European and American hosting providers.
The attack campaign escalated significantly on May 4. Nonetheless, many site owners have yet to upgrade to version 1.0.83, which contains the necessary patches.
Formerly known as SureTriggers, OttoKit enables users to create WordPress automations and is frequently used for integrating external services. In the hands of malicious actors, such tools can lead to complete site compromise. Given the ease of exploitation and the active abuse of these vulnerabilities, updating to the latest version is not merely advisable—it is an urgent imperative.