cbcvebase.
CVE-2025-27007
published 2025-05-01

CVE-2025-27007: Incorrect Privilege Assignment vulnerability in Brainstorm Force OttoKit suretriggers allows Privilege Escalation.This issue affects OttoKit: from n/a through…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
50.19%
98.8th percentile
Incorrect Privilege Assignment vulnerability in Brainstorm Force OttoKit suretriggers allows Privilege Escalation.This issue affects OttoKit: from n/a through <= 1.0.82.

Affected

1 ranges
VendorProductVersion rangeFixed in
brainstorm_forceottokit<= 1.0.82

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/sure-triggers/v1/connection/create-wp-connection
url/wp-json/sure-triggers/v1/automation/action
url?rest_route=/wp-json/sure-triggers/v1/automation/action
path/wp-content/plugins/suretriggers
commandtype_event=create_user_if_not_exists
uaOttoKit
  • Detect exploitation attempts by monitoring POST requests to the REST API endpoint '/wp-json/sure-triggers/v1/connection/create-wp-connection' with a JSON body containing 'sure-triggers-access-key' and 'connection_status': 'ok', especially from unauthenticated sources.
  • Alert on POST requests to '/wp-json/sure-triggers/v1/automation/action' or '?rest_route=/wp-json/sure-triggers/v1/automation/action' containing the parameter 'type_event=create_user_if_not_exists' combined with 'selected_options[role]=administrator'.
  • Monitor for the HTTP header 'St-Authorization: Bearer <value>' on requests to SureTriggers/OttoKit REST API endpoints, particularly with empty or random/brute-forced bearer tokens, as this is the authentication mechanism abused in the exploit.
  • Check WordPress user logs for newly created administrator accounts shortly after requests to the OttoKit REST API endpoints, especially accounts with randomized usernames, passwords, and email addresses indicating automated exploitation.
  • Exploitation requires the plugin to be uninitialized (no API key or 'secret_key' set in the database). Audit WordPress sites for OttoKit installations where the secret_key is absent as a risk indicator.
  • Exploitation activity started roughly 90 minutes after public disclosure on May 5, 2025; treat any OttoKit REST API activity from that date onward on unpatched (<=1.0.82) installations as high-priority investigation.
  • ·The vulnerability is only exploitable when the OttoKit plugin is uninitialized — specifically when no API key or 'secret_key' is configured in the database. Patched sites (version 1.0.83+) added a validation check for the access key used in the request.
  • ·The exploit bypasses authentication by exploiting a logic error in the 'create_wp_connection' function when application passwords are not set on the WordPress site.
  • ·OttoKit vendor stated they found no evidence of real-world exploitation of CVE-2025-27007, and that the issue was patched within hours with users force-updated to version 1.0.83.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.