CVE-2025-27007 – Critical Privilege Escalation Vulnerability (CVSS: 9.8)
This flaw affects all plugin versions up to and including 1.0.82. It originates from the create_wp_connection() function, which fails to verify user capabilities and authentication properly.
What this means: Unauthenticated attackers can exploit this flaw to gain admin privileges under the following conditions:
- The site has never used an application password, and OttoKit was never connected using one.
- The attacker already has login access and can create a valid application password.
Attackers use this vulnerability to establish a connection and then create a new admin user through OttoKit’s automation/action endpoint.
CVE-2025-3102 – Secondary Exploit Still in the Wild
In addition to CVE-2025-27007, threat actors are also targeting CVE-2025-3102, a separate vulnerability that has been exploited since April 2025. Both flaws can be used in tandem to increase the severity of an attack.
Known Malicious IP Addresses
Wordfence researchers observed mass exploitation beginning May 4, 2025, with scanning activity as early as May 2.
IP addresses involved in the attacks:
2a0b:4141:820:1f4::2 41.216.188.205 144.91.119.115 194.87.29.57 196.251.69.118 107.189.29.12 205.185.123.102 198.98.51.24 198.98.52.226 199.195.248.147
Urgent Action Required – Update Now!
All users of the OttoKit plugin are advised to immediately update to version 1.0.83 to patch both vulnerabilities. Delaying this update could allow attackers to completely compromise your website.
➡️ How to Update: Go to your WordPress dashboard and update OttoKit to the latest version or download it here.
Final Takeaway
This incident highlights the importance of staying on top of plugin security updates. With over 100K active installations, OttoKit is a high-profile target. Install a reliable firewall, enable 2FA, and regularly audit your site for unusual activity.