Additional Critical OttoKit (Formerly SureTriggers) Vulnerability Patched

Published 5 May 2025

Chazz Wolcott

Security Advisories vulnerability privilege escalation ottokit

Table of Contents

SureTriggers

Unauthenticated Privilege Escalation

100K

CVSS 9.8

Update: We have observed attackers start attempting to exploit this vulnerability in 1 hour and 31 minutes after disclosure. See Exploitation in the Wild for more information.

The vulnerability in the OttoKit plugin was originally reported by Patchstack Alliance community member Denver Jackson to the Patchstack Zero Day bug bounty program for WordPress.

The Patchstack Zero Day program has awarded the researcher $2,600 USD in cash. If you wish to also participate in the program then join the community here.

This blog post is about the OttoKit (formerly SureTriggers) plugin vulnerability. If you're an OttoKit user, please update the plugin to at least 1.0.83.

If you are a Patchstack customer, you protected from this vulnerability already, and no further action is required from you.

For plugin developers, we have security audit services and Enterprise API for hosting companies.

About the OttoKit plugin

The OttoKit plugin, which has over 100k active installations, is a popular automation/integration plugin for WordPress. The plugin is developed by Brainstorm Force.

A promotional banner used by the OttoKit plugin on their WordPress.org plugin page. The banner contains showcases some examples of the integrations offered by the OttoKit plugin.

This WordPress plugin allows its users to integrate their WordPress website with a number of third-party software solutions. Through these integrations, the plugin also allows for automating tasks between the different connected services.

The security vulnerability

The OttoKit plugin suffered from an unauthenticated Privilege Escalation vulnerability. The vulnerability occurred due to a logic error in the plugin, incorrectly handling the response from the wp_authenticate_application_password WordPress function, as well as a limited amount of verification of user-provided access tokens. Due to the behavior of this interaction, this vulnerability could lead to an attacker obtaining full control of the website via OttoKit plugin's API, including the ability to create additional Administrator-level user accounts, on any website using this plugin where the administrator has not set an application password. This vulnerability is fixed in version 1.0.83 and has been tracked with CVE-2025-27007.

The underlying vulnerability exists in the create_wp_connection function:

public function create_wp_connection( $request ) {

	$user_agent = $request->get_header( 'user-agent' );
	if ( 'OttoKit' !== $user_agent && 'SureTriggers' !== $user_agent ) {
		return new WP_REST_Response(
			[
				'success' => false,
				'data'    => 'Unauthorized',
			],
			403
		);
	}
	$params = $request->get_json_params();

	$username = isset( $params['wp-username'] ) ? sanitize_text_field( $params['wp-username'] ) : '';
	$password = isset( $params['wp-password'] ) ? $params['wp-password'] : '';

	if ( empty( $username ) || empty( $password ) ) {
		return new WP_REST_Response(
			[
				'success' => false,
				'data'    => 'Username and password are required.',
			],
			400
		);
	}

	$user = wp_authenticate_application_password( null, $username, $password );

	if ( is_wp_error( $user ) ) {
		return new WP_REST_Response(
			[
				'success' => false,
				'data'    => 'Invalid username or password.',
			],
			403
		);
	}

	$connection_status = $request->get_param( 'connection-status' );
	$access_key        = $request->get_param( 'sure-triggers-access-key' );
	$connected_email   = $request->get_param( 'connected_email' );

	if ( false === $connection_status ) {
		$access_key = 'connection-denied';
	}
	
	$connected_email_id = isset( $connected_email ) ? sanitize_email( wp_unslash( $connected_email ) ) : '';

	if ( isset( $access_key ) ) {
		SaasApiToken::save( $access_key );
	}
	OptionController::set_option( 'connected_email_key', $connected_email_id );

	return new WP_REST_Response(
		[
			'success' => true,
			'data'    => 'Connected successfully.',
		],
		200
	);
}

The function above can be called from the sure-triggers/v1/connection/create-wp-connection REST API endpoint. Due to the mentioned logic errors preventing proper authentication, any user with knowledge of the administrator's username is able to create this connection request.

The patch

The vendor implemented a patch for this vulnerability in version 1.0.83 by correcting the logic error and adding additional validation of the access key used for the request. The patch can be seen below:

A screenshot of a portion of the diff output between the vulnerable and patched versions of the RestController.php file.

Conclusion

While WordPress' API is heavily battle-tested, the large scope of functionality and many decades of changes also leaves room for unexpected interactions. Especially when dealing with critical functionality such as authentication, it is vital to ensure all potential responses from the WordPress API are correctly accounted for.

Want to learn more about finding and fixing vulnerabilities?

Explore our Academy to master the art of finding and patching vulnerabilities within the WordPress ecosystem. Dive deep into detailed guides on various vulnerability types, from discovery tactics for researchers to robust fixes for developers. Join us and contribute to our growing knowledge base.

Timeline

11 April, 2025A security researcher responsibly disclosed this vulnerability to Patchstack.

12 April, 2025We validated the vulnerability report and contacted the vendor.

17 April, 2025The vendor provided us with a potential patch, which we confirmed would resolve the vulnerability.

18 April, 2025The vendor began discussions with the WordPress.org Plugins Team to push out a forced update to users of the plugin, in order to protect those users from this vulnerability.

21 April, 2025The vendor released the version 1.0.83, which provided a complete patch, and WordPress.org pushed the update to all users.

24 April, 2025With the help of the Plugins Team, nearly all installations of the plugin had been force-updated to the patched version.

30 April, 2025After allowing reasonable time for users to update, Patchstack and the vendor publicized this vulnerability, and it has been added to the Patchstack database.

5 May, 2025Security advisory article published.

Exploitation in the Wild

Just over an hour after this disclosure was published, Patchstack observed attempts to exploit the reported vulnerability. This highlights the importance of applying patches, updates or mitigations promptly, to ensure a site's safety after vulnerabilities have been disclosed.

Indications of an attack being attempted include:

Hits on the URLs used to initiate this exploit:
- /wp-json/sure-triggers/v1/connection/create-wp-connection
- ?rest_route=/wp-json/sure-triggers/v1/connection/create-wp-connection
Attempts to initialize a new connection with the OttoKit WP API

{
  "integration": "WordPress",
  "type_event": "create_wp_connection",
  "wp-username": "<site administrator username>",
  "wp-password": "<random>",
  "sure-triggers-access-key": "<random>",
  "connected_email": "<random>",
  "automation_id": "<random>"
}

After the exploit has been initialized through establishing this connection, further signs of compromise include:

Hits to the URLs:
- /wp-json/sure-triggers/v1/automation/action
- ?rest_route=/wp-json/sure-triggers/v1/automation/action
Payloads including the "type_event": "create_user_if_not_exists" value
Newly created administrator (or other level) user accounts on the impacted website.

It is strongly recommended to update your site as soon as possible if you are using the OttoKit plugin, and to review your logs and site settings for these indicators of attack and compromise.

Help us make the Internet a safer place

Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.

If you're a plugin developer, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
If you're a security researcher, join Patchstack Alliance to report vulnerabilities & earn rewards.

The latest in Security Advisories

See all

23 April, 2025

Fake Security Vulnerability Phishing Campaign Targets WooCommerce Users

                woocommerce            

                phishing            

17 April, 2025

Critical RomethemeKit For Elementor Plugin Vulnerability Patched

                Critical Vulnerability            

                Elementor            

                rce            

10 April, 2025

Critical SureTriggers Plugin Vulnerability Exploited within 4 hours

                Critical Vulnerability            

                SureTriggers            

                Rest API            