Plugin Security | Breaking Cybersecurity News | The Hacker News

A second security flaw impacting the OttoKit (formerly SureTriggers ) WordPress plugin has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-27007 (CVSS score: 9.8), is a privilege escalation bug impacting all versions of the plugin prior to and including version 1.0.82.  "This is due to the create_wp_connection() function missing a capability check and insufficiently verifying a user's authentication credentials," Wordfence said . "This makes it possible for unauthenticated attackers to establish a connection, which ultimately can make privilege escalation possible." That said, the vulnerability is exploitable only in two possible scenarios - When a site has never enabled or used an application password, and OttoKit has never been connected to the website using an application password before When an attacker has authenticated access to a site and can generate a valid application password Wordfence revealed that it obs...

A newly disclosed high-severity security flaw impacting OttoKit (formerly SureTriggers) has come under active exploitation within a few hours of public disclosure. The vulnerability, tracked as CVE-2025-3102 (CVSS score: 8.1), is an authorization bypass bug that could permit an attacker to create administrator accounts under certain conditions and take control of susceptible websites. "The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78," Wordfence's István Márton said . "This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key." Successful exploitation of the vulnerabilit...

Everyone has cybersecurity stories involving family members. Here's a relatively common one. The conversation usually goes something like this:  "The strangest thing happened to my streaming account. I got locked out of my account, so I had to change my password. When I logged back in, all my shows were gone. Everything was in Spanish and there were all these Spanish shows I've never seen before. Isn't that weird?" This is an example of an account takeover attack on a customer account. Typically what happens is that a streaming account is compromised, probably due to a weak and reused password, and access is resold as part of a common digital black market product, often advertised as something like "LIFETIME STREAMING SERVICE ACCOUNT - $4 USD." In the grand scheme of things, this is a relatively mild inconvenience for most customers. You can reset your credentials with a much stronger password, call your bank to issue a new credit card and be back to binge-watching The Crown i...