CVE-2025-27007
published 2025-05-01CVE-2025-27007: Incorrect Privilege Assignment vulnerability in Brainstorm Force OttoKit suretriggers allows Privilege Escalation.This issue affects OttoKit: from n/a through…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
50.19%
98.8th percentile
Incorrect Privilege Assignment vulnerability in Brainstorm Force OttoKit suretriggers allows Privilege Escalation.This issue affects OttoKit: from n/a through <= 1.0.82.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| brainstorm_force | ottokit | <= 1.0.82 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring POST requests to the REST API endpoint '/wp-json/sure-triggers/v1/connection/create-wp-connection' with a JSON body containing 'sure-triggers-access-key' and 'connection_status': 'ok', especially from unauthenticated sources. ↗
- →Alert on POST requests to '/wp-json/sure-triggers/v1/automation/action' or '?rest_route=/wp-json/sure-triggers/v1/automation/action' containing the parameter 'type_event=create_user_if_not_exists' combined with 'selected_options[role]=administrator'. ↗
- →Monitor for the HTTP header 'St-Authorization: Bearer <value>' on requests to SureTriggers/OttoKit REST API endpoints, particularly with empty or random/brute-forced bearer tokens, as this is the authentication mechanism abused in the exploit. ↗
- →Check WordPress user logs for newly created administrator accounts shortly after requests to the OttoKit REST API endpoints, especially accounts with randomized usernames, passwords, and email addresses indicating automated exploitation. ↗
- →Exploitation requires the plugin to be uninitialized (no API key or 'secret_key' set in the database). Audit WordPress sites for OttoKit installations where the secret_key is absent as a risk indicator. ↗
- →Exploitation activity started roughly 90 minutes after public disclosure on May 5, 2025; treat any OttoKit REST API activity from that date onward on unpatched (<=1.0.82) installations as high-priority investigation. ↗
- ·The vulnerability is only exploitable when the OttoKit plugin is uninitialized — specifically when no API key or 'secret_key' is configured in the database. Patched sites (version 1.0.83+) added a validation check for the access key used in the request. ↗
- ·The exploit bypasses authentication by exploiting a logic error in the 'create_wp_connection' function when application passwords are not set on the WordPress site. ↗
- ·OttoKit vendor stated they found no evidence of real-world exploitation of CVE-2025-27007, and that the issue was patched within hours with users force-updated to version 1.0.83. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8r3j-hpqx-m8fj: Incorrect Privilege Assignment vulnerability in Brainstorm Force SureTriggers allows Privilege Escalation
ghsa_unreviewed·2025-05-01
CVE-2025-27007 [CRITICAL] CWE-266 GHSA-8r3j-hpqx-m8fj: Incorrect Privilege Assignment vulnerability in Brainstorm Force SureTriggers allows Privilege Escalation
Incorrect Privilege Assignment vulnerability in Brainstorm Force SureTriggers allows Privilege Escalation.This issue affects SureTriggers: from n/a through 1.0.82.
VulnCheck
suretriggers suretriggers Incorrect Privilege Assignment
vulncheck·2025
CVE-2025-27007 suretriggers suretriggers Incorrect Privilege Assignment
suretriggers suretriggers Incorrect Privilege Assignment
Incorrect Privilege Assignment vulnerability in Brainstorm Force OttoKit suretriggers allows Privilege Escalation.This issue affects OttoKit: from n/a through <= 1.0.82.
Affected: suretriggers suretriggers
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/plugin/suretriggers/vulnerability/wordpress-suretriggers-1-0-82-privilege-escalation-vulnerability; https://patchstack.com/articles/additional-critical-ottokit-formerly-suretriggers-vulnerability-patched?_s_id=cve; https://www.cve.org/cverecord?id=CVE-2025-27007; https://www.wordfence.com/blog/2025/05/recentl
No detection rules found.
Exploit-DB
SureTriggers OttoKit Plugin 1.0.82 - Privilege Escalation
exploitdb·2025-05-09
CVE-2025-27007 SureTriggers OttoKit Plugin 1.0.82 - Privilege Escalation
SureTriggers OttoKit Plugin 1.0.82 - Privilege Escalation
---
# Exploit Title: SureTriggers OttoKit Plugin 1.0.82 - Privilege Escalation
# Date: 2025-05-7
# Exploit Author: [Abdualhadi khalifa (https://x.com/absholi7ly/)
# Affected: Versions All versions of OttoKit (SureTriggers) ≤ 1.0.82.
Conditions for Exploitation
The vulnerability can be exploited under the following circumstances:
1. OttoKit must be installed and activated on the target WordPress site.
2. The plugin *uninitialized* (e.g., no API key or "secret_key" is set
in the database).
3. The target site displays the REST API endpoint
'/wp-json/sure-triggers/v1/automation/action'.
HTTP Request
The following request targets the
/wp-json/sure-triggers/v1/automation/action endpoint to create an
administrator account:
POST /
Nuclei
OttoKit < 1.0.83 - SureTriggers allows Privilege Escalation
nuclei·CVSS 9.8
CVE-2025-27007 OttoKit < 1.0.83 - SureTriggers allows Privilege Escalation
OttoKit < 1.0.83 - SureTriggers allows Privilege Escalation
Incorrect Privilege Assignment vulnerability in Brainstorm Force SureTriggers allows Privilege Escalation.This issue affects SureTriggers- from n/a through 1.0.82.
Template:
id: CVE-2025-27007
info:
name: OttoKit < 1.0.83 - SureTriggers allows Privilege Escalation
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Incorrect Privilege Assignment vulnerability in Brainstorm Force SureTriggers allows Privilege Escalation.This issue affects SureTriggers- from n/a through 1.0.82.
impact: |
Unauthenticated attackers can create unauthorized connections and escalate privileges to administrator through the SureTriggers REST API endpoints, gaining complete control over the WordPress site.
remediation: |
Upgrade to
Nuclei
PrestaShop - SQL Injection to Eval Injection
nuclei·CVSS 9.8
CVE-2022-31181 [CRITICAL] PrestaShop - SQL Injection to Eval Injection
PrestaShop - SQL Injection to Eval Injection
PrestaShop versions from 1.6.0.10 and before 1.7.8.7 contain an SQL injection caused by unsanitized user input, letting attackers chain the vulnerability to call PHP's Eval function, exploit requires attacker to send malicious input.
Template:
id: CVE-2022-31181
info:
name: PrestaShop - SQL Injection to Eval Injection
author: daffainfo
severity: critical
description: |
PrestaShop versions from 1.6.0.10 and before 1.7.8.7 contain an SQL injection caused by unsanitized user input, letting attackers chain the vulnerability to call PHP's Eval function, exploit requires attacker to send malicious input.
remediation: |
Upgrade to version 1.7.8.7 or later. Alternatively, delete the MySQL Smarty cache feature if upgrade is not possible.
impact: |
At
Metasploit
WordPress SureTriggers (aka OttoKit) Combined Auth Bypass (CVE-2025-3102, CVE-2025-27007)
metasploit·CVSS 8.1
CVE-2025-3102 [HIGH] WordPress SureTriggers (aka OttoKit) Combined Auth Bypass (CVE-2025-3102, CVE-2025-27007)
WordPress SureTriggers (aka OttoKit) Combined Auth Bypass (CVE-2025-3102, CVE-2025-27007)
Exploits two distinct authorization bypasses in SureTriggers/OttoKit plugin: - CVE-2025-3102: admin creation via St-Authorization Bearer (empty) - CVE-2025-27007: reset access key via connection endpoint & admin creation with Bearer header
Checkpoint
12th May – Threat Intelligence Report
blogs_checkpoint·2025-05-12
CVE-2025-27363 12th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 12th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 12th May, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The UK’s Legal Aid Agency has suffered a cyberattack. The agency, which operates under the Ministry of Justice to provide billions in legal aid funding, has stated that financial information relating to legal aid providers may have been accessed by a third party.
UK based Education giant Pearson disclosed it had suffered a cyber
Bleepingcomputer
Hackers exploit OttoKit WordPress plugin flaw to add admin accounts
blogs_bleepingcomputer·2025-05-07
Hackers exploit OttoKit WordPress plugin flaw to add admin accounts
## Hackers exploit OttoKit WordPress plugin flaw to add admin accounts
## Bill Toulas
Hackers are exploiting a critical unauthenticated privilege escalation vulnerability in the OttoKit WordPress plugin to create rogue admin accounts on targeted sites.
OttoKit (formerly SureTriggers) is a WordPress automation and integration plugin used in over 100,000 sites, allowing users to connect their websites to third-party services and automate workflows.
Patchstack received a report about a critical vulnerability in OttoKit on April 11, 2025, from researcher Denver Jackson.
The flaw, tracked under the identifier CVE-2025-27007, allows attackers to gain administrator access via the plugin's API by exploiting a logic error in the 'create_wp_connection' function, bypassing authentication checks
Greynoiseio
NoiseLetter September 2025
blogs_greynoiseio
NoiseLetter September 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-05-01
Published
Exploited in the wild