No Sites Hacked. No Exploits Detected. Here’s What Really Happened with OttoKit

By /
OttoKit Plugin Was Not Exploited. Here’s the Full Breakdown

Hi everyone,

Sujay here, CEO of OttoKit.

When you trust us to automate your workflows, you are trusting us with your operations. That’s something we take seriously, every single day.

On April 16, 2025, we received a private report about a potential security issue in the OttoKit WordPress plugin (formerly SureTriggers). You may have seen it mentioned on platforms like Hacker News. I want to personally walk you through what happened and how we responded.

What Happened

We were contacted by Patchstack, a respected WordPress-focused security research platform, about a possible privilege escalation vulnerability in version 1.0.82 of the OttoKit plugin.

Under specific and rare conditions, the flaw could have allowed a logged-in user to raise their access level. The following CVEs were assigned:

  • CVE-2025-27007
  • CVE-2025-3102

How We Responded

As soon as we received the report, our security and engineering teams jumped into action. Here’s what we did:

  • Verified the issue internally within hours.
  • Released a patched version (1.0.83) to address both vulnerabilities.
  • Coordinated with the WordPress.org Plugins team to push a forced auto-update.
  • Performed a full internal security audit of the plugin.
  • Stayed in contact with Patchstack and WordPress.org to ensure proper resolution.

Was There Any Impact?

No sites were compromised. There was no evidence that the vulnerability was exploited.

Some reports suggested up to 100,000 sites were affected. That’s incorrect.

To exploit the issue, an attacker would need one of the following:

  • The site never enabled or used an application password
  • Or, authenticated access and the ability to generate a valid application password

Because of these rare requirements, the chance of real-world impact was extremely low. Even so, we treated it as critical and resolved it with urgency.

Final Thoughts

Security isn’t just a checkbox for us, it’s something we build into every part of OttoKit.

The issue was resolved before any harm was done, thanks to the fast release of version 1.0.83 and the automatic update.

This situation reminded us of the importance of acting fast, being open, and building strong partnerships with ethical researchers.

I’m incredibly proud of our team’s response and thankful to Patchstack and the WordPress.org Plugins team for helping us move swiftly.

And most importantly, thank you for trusting us. We’ll keep working hard to earn it, every day.

Sujay Pawar
CEO, OttoKit

Disclosure: This blog may contain affiliate links. If you make a purchase through one of these links, we may receive a small commission. Read disclosure. Rest assured that we only recommend products that we have personally used and believe will add value to our readers. Thanks for your support!

Leave a Comment

Your email address will not be published. Required fields are marked *

Recommended Articles

Start Automating With OttoKit Today

OttoKit makes automation easy for everyone, by handling repetitive tasks, so you can focus on what truly matters.

Start Free
Trusted by Thousands of Businesses
Start for Free. No Credit Card Required
24/7 World Class Support Team
Scroll to Top