The SureTriggers OttoKit Plugin version 1.0.82 for WordPress contains a critical privilege escalation vulnerability that allows an unauthenticated attacker to create an administrator account on the target WordPress site. The vulnerability arises when the plugin is installed and activated but remains uninitialized, meaning no API key or 'secret_key' is set in the database. Under these conditions, the plugin exposes a REST API endpoint at '/wp-json/sure-triggers/v1/automation/action' that can be exploited. An attacker can send a crafted HTTP POST request to this endpoint with specific parameters to create a new user account with administrator privileges. The exploit leverages the lack of proper authentication and input validation in the plugin's REST API, allowing privilege escalation without requiring any prior credentials or user interaction. The exploit code demonstrates how to send a POST request with parameters such as 'user_name', 'user_email', 'password', and 'role' set to 'administrator', effectively granting full administrative control over the WordPress site to the attacker. This vulnerability affects all versions of OttoKit up to and including 1.0.82. No patch links are currently provided, and no known exploits are reported in the wild yet, but the presence of public exploit code increases the risk of exploitation. The vulnerability impacts the confidentiality, integrity, and availability of the affected WordPress sites, as attackers can fully control the site, modify content, steal data, or deploy further malicious payloads.

For European organizations using WordPress sites with the SureTriggers OttoKit plugin, this vulnerability poses a severe risk. Successful exploitation leads to full administrative access, enabling attackers to manipulate website content, steal sensitive data, deploy malware, or pivot to internal networks. This can result in data breaches, reputational damage, service disruption, and regulatory non-compliance, especially under GDPR. Organizations relying on WordPress for e-commerce, customer portals, or public-facing services are particularly vulnerable. The ease of exploitation without authentication or user interaction means that attackers can automate attacks at scale, increasing the likelihood of widespread compromise. Additionally, compromised sites can be used as launchpads for phishing or malware distribution campaigns targeting European users. The lack of a patch and public exploit availability heightens the urgency for mitigation.

1. Immediate audit of all WordPress sites to identify installations of the SureTriggers OttoKit plugin, especially versions ≤ 1.0.82. 2. Verify plugin initialization status; ensure that API keys or secret keys are properly configured to prevent the plugin from operating in an uninitialized state. 3. If the plugin is not essential, consider disabling or uninstalling it until a patched version is released. 4. Implement Web Application Firewall (WAF) rules to block unauthorized POST requests to the '/wp-json/sure-triggers/v1/automation/action' endpoint, especially those attempting to create users or escalate privileges. 5. Monitor WordPress user accounts for unauthorized administrator accounts and remove any suspicious users immediately. 6. Restrict access to the REST API endpoints by IP whitelisting or authentication where possible. 7. Keep WordPress core, plugins, and themes updated and subscribe to vendor security advisories for timely patching. 8. Conduct regular security audits and penetration testing focusing on REST API endpoints. 9. Educate site administrators about the risks of leaving plugins uninitialized and the importance of secure configuration.