- The Ottokit plugin was vulnerable to a critical defect which allows the creation of new administration accounts
- It was corrected at the end of April 2025, so users should update now
- Threat actors are looking for exposed websites
Ottokit, a WordPress Popular Automation plugin, is vulnerable to a lack of critical severity that allows threat stakeholders to take care of whole websites.
The bug is described as a lack of allocation of incorrect privilege in the strength of the brainstorming which allows a climbing of privilege. It affects all the old versions of the website builder plugin, up to version 1.0.83, which was published on April 21, 2025. It is followed as CVE-2025-27007 and has a 9.8 / 10 (critic) gravity score.
In theory, threat stakeholders could send a request for a post made at a vulnerable REST API point exposed by Ottokit, containing automation data that imitate the logic of the internal plugin. Due to missing validation, Ottokit would not manage to properly authenticate the request, and as the automation logic works with high privileges, threat actors are ultimately authorized to create a new user account and to assign the role of the administrator.
Disclosed cats
Ottokit, formerly known as the overgriggers, is designed to connect websites with various third -party services and allow automation of workflow without coding.
It supports integrations with platforms such as WooCommerce, Mailchimp, Google Sheets and CRMS, allowing users to perform tasks such as sending emails, updating user roles or synchronization of data on applications.
The plugin has more than 100,000 users, but most of them have already applied the fix. However, Patchstack security researchers said they had observed attacks in the wild, from almost immediately after publicly disclosure of the defect.
“It is highly recommended to update your site as soon as you use the Ottokit plugin, and to review your newspapers and site settings for these attack and compromise indicators,” said Patchstack.
This is the second major vulnerability to Ottokit found this month, after CVE-2025-3102, another defect in authentication by authentication, which received a “high” gravity score of 8.1 / 10.
Via Bleeping Compompute
