1. Forum
  2. tqwNet
  3. TQW GENTECH

  • OttoKit WordPress plugin has a serious security flaw, thousands o

    From TechnologyDaily@1337:1/100 to All on Thursday, May 08, 2025 10:30:09
    OttoKit WordPress plugin has a serious security flaw, thousands of users possibly affected

    Date:
    Thu, 08 May 2025 09:25:39 +0000

    Description:
    OttoKit plugin bug allows threat actors to create new admin accounts.

    FULL STORY ======================================================================The OttoKit plugin was vulnerable to a critical flaw that allows the creation of new admin accounts It was patched in late April 2025, so users should update now Threat actors are looking for exposed websites

    OttoKit, a popular automation WordPress plugin , is vulnerable to a critical-severity flaw that allows threat actors to take over entire
    websites.

    The bug is described as an incorrect privilege assignment flaw in Brainstorm Force that allows privilege escalation. It affects all older versions of the website builder plugin, up until version 1.0.83, which was released on April 21, 2025. It is tracked as CVE-2025-27007 and has a severity score of 9.8/10 (critical).

    In theory, threat actors could send a crafted POST request to a vulnerable REST API endpoint exposed by OttoKit, containing automation data that mimics internal plugin logic. Due to missing validation, OttoKit would fail to properly authenticate the request, and since the automation logic runs with elevated privileges, the threat actors are ultimately allowed to create a new user account and assign it the administrator role.

    Get Keeper Personal for just $1.67/month, Keeper Family for just
    $3.54/month, and Keeper Business for just $7/month

    Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.

    It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts
    to protect against cyber threats.

    Preferred partner ( What does this mean? ) View Deal Chats leaked

    OttoKit, formerly known as SureTriggers, is designed to connect websites with various third-party services and enable workflow automation without coding.

    It supports integrations with platforms like WooCommerce, Mailchimp, Google Sheets, and CRMs, allowing users to run tasks such as sending emails,
    updating user roles, or syncing data across apps.

    The plugin has more than 100,000 users, but most of them have applied the patch already. Still, security researchers Patchstack said they observed attacks in the wild, starting almost immediately after the flaw was publicly disclosed.

    "It is strongly recommended to update your site as soon as possible if you
    are using the OttoKit plugin, and to review your logs and site settings for these indicators of attack and compromise," Patchstack said.

    This is the second major vulnerability in OttoKit found this month, after CVE-2025-3102, another authentication bypass flaw, which was given a high severity score of 8.1/10.

    Via BleepingComputer You might also like Fortinet firewall bugs are being targeted by LockBit ransomware hackers Take a look at our guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/ottokit-wordpress-plugin-has-a-serious- security-flaw-thousands-of-users-possibly-affected


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)