- The Ottokit complement was vulnerable to a critical failure that allows the creation of new administration accounts
- It was a pairing at the end of April 2025, so users should now update
- Threat actors are looking for exposed websites
Ottokit, a popular automation wordpress complement, is vulnerable to a critical severity defect that allows threat actors to take care of complete websites.
The error is described as an incorrect privilege allocation failure in the force of the rain of ideas that allows the escalation of privileges. It affects all the previous versions of the Builder Builder complement, to version 1.0.83, which was launched on April 21, 2025. They are tracked as CVE-2025-27007 and has a gravity score of 9.8/10 (critical).
In theory, threat actors could send a postal application designed to an end point of vulnerable API rest exposed by Ottokit, which contains automation data that mimic the logic of internal accessories. Due to missing validation, Ottokit cannot correctly authenticate the application, and since the automation logic is executed with high privileges, threat actors can create a new user account and assign the role of administrator.
The filtered chats
Ottokit, previously known as Suretriggers, is designed to connect websites with several third -party services and enable workflow automation without coding.
It admits integrations with platforms such as Woocommerce, Mailchimp, Google Sheets and CRMs, allowing users to execute tasks such as sending emails, updating user roles or data synchronization in applications.
The complement has more than 100,000 users, but most of them have already applied the patch. Even so, Patchstack security researchers said they observed attacks in nature, starting almost immediately after the defect was publicly revealed.
“It is recommended to update your site as soon as possible if you are using the Ottokit complement and review the records and site configuration for these attack and commitment indicators,” Patchstack said.
This is the second main vulnerability in Ottokit found this month, after CVE-2025-3102, another authentication omission defect, which received a “high” gravity score of 8.1/10.
Through Bleepingcomputer
