A second severe OttoKit security flaw has been actively exploited in the wild. Tracked as CVE-2025-27007, this vulnerability has a high CVSS score of 9.8, highlighting its critical nature. It affects all versions of the OttoKit plugin prior to and including version 1.0.82, posing a significant risk to WordPress users.
Privilege Escalation Flaw: What You Need to Know
The vulnerability arises from the create_wp_connection() function, which lacks a proper capability check and fails to adequately verify a user’s authentication credentials, as reported by Wordfence. This flaw makes it possible for unauthenticated attackers to establish a connection, opening the door to privilege escalation.
However, the exploit is only possible in two specific scenarios:
- If a site has never enabled or used an application password, and OttoKit has never been connected via an application password.
- If an attacker gains authenticated access to the site and can generate a valid application password.
Wordfence noted that attackers have been observed exploiting the flaw by establishing an initial connection to the site, then using it to create an administrative user account via the plugin’s automation/action endpoint.
In addition to CVE-2025-27007, another vulnerability in the OttoKit plugin, CVE-2025-3102, has also been exploited since last month. This vulnerability has a CVSS score of 8.1 and adds to the urgency surrounding the plugin’s security flaws. Threat actors are likely targeting both vulnerabilities simultaneously, scanning WordPress installations to identify systems vulnerable to one or both issues.
Active Exploitation and IP Addresses Under Scrutiny
The plugin has over 100,000 active installations, making it a prime target for malicious actors. Wordfence has observed multiple IP addresses actively targeting the flaws, including:
- 2a0b:4141:820:1f4::2
- 41.216.188.205
- 144.91.119.115
- 194.87.29.57
- 196.251.69.118
- 107.189.29.12
- 205.185.123.102
- 198.98.51.24
- 198.98.52.226
- 199.195.248.147
Given the active exploitation and the large number of affected sites, it is critical that users upgrade to OttoKit version 1.0.83 immediately. Mass exploitation of the vulnerability began as early as May 4, 2025, after the flaw was publicly disclosed on May 2, 2025.
In a separate advisory, Patchstack reported that exploitation attempts targeting the flaw were detected just 91 minutes after the vulnerability’s public disclosure. According to security researcher Chazz Wolcott, the issue stems from a logic error in the plugin that mishandles responses from the wp_authenticate_application_password function. Additionally, there was insufficient verification of user-provided access tokens, enabling attackers to take control of the site via the plugin’s API. This could lead to the creation of additional Administrator-level accounts on affected websites.
Urgent Patch Needed
To mitigate the risk posed by these vulnerabilities, OttoKit users are urged to upgrade to version 1.0.83 immediately. Failure to apply the update could leave WordPress sites exposed to privilege escalation, allowing attackers full control over affected websites.
