Hackers are actively exploiting a critical unauthenticated privilege escalation vulnerability in the OttoKit WordPress plugin to create rogue administrator accounts. Immediate action is required to update affected sites and review logs for signs of compromise. (Affected: WordPress sites using OttoKit plugin)
Keypoints :
- The vulnerability CVE-2025-27007 allows attackers to gain admin access through the plugin’s API by exploiting a logic error in the ‘create_wp_connection’ function.
- The flaw was reported on April 11, 2025, and a patch was released on April 21, 2025, with version 1.0.83 including validation checks.
- Most users had been force-updated to the patched version by April 24, 2025, but exploitation activity began shortly after public disclosure.
- Attackers target REST API endpoints, using brute-force methods with guessed credentials and fake access keys to create rogue administrator accounts silently.
- The attack sequence involves follow-up API calls to trigger account creation through specific payloads, leading to site compromise.
- This is the second critical flaw exploited in OttoKit since April 2025, indicating ongoing targeted attacks against the plugin.
- Site administrators are advised to update immediately, review logs, and monitor for indicators of attack and unauthorized account creation.