Privilege Escalation Vulnerability in SureTriggers by Brainstorm Force
CVE-2025-27007

9.8CRITICAL

Key Information:

Vendor

Brainstorm Force

Status
Suretriggers
Vendor
CVE Published:
1 May 2025

Badges

📈 Score: 125👾 Exploit Exists🟡 Public PoC🟣 EPSS 78%📰 News Worthy

What is CVE-2025-27007?

CVE-2025-27007 is a privilege escalation vulnerability found in SureTriggers, a plugin developed by Brainstorm Force, primarily used for automating tasks and workflows within WordPress sites. This vulnerability poses a serious risk as it allows users with insufficient access rights to gain elevated privileges, potentially compromising the security of the entire application. If exploited, attackers could manipulate settings and actions that should be restricted, leading to unauthorized access to sensitive information and functions.

Technical Details

The vulnerability is characterized by an improper assignment of user privileges, which allows certain user roles to perform actions that should be limited to higher-level permissions. The affected versions range from the initial release through 1.0.82. The flaw arises from inadequate controls in the code that governs role permissions, leaving a vector for attackers to escalate their access beyond intended limits.

Potential Impact of CVE-2025-27007

  1. Unauthorized Data Access: Attackers could exploit this vulnerability to gain access to restricted data or modify critical configurations, potentially affecting the integrity of the website's data and user privacy.

  2. Site Manipulation: With elevated privileges, an attacker could alter website functionalities, leading to unauthorized changes in content, settings, or even installation of malicious plugins, which can further compromise the site.

  3. Reputation Damage: Organizations relying on SureTriggers for their business operations may suffer significant reputational harm and loss of user trust if this vulnerability is exploited successfully, especially if sensitive data is leaked or compromised.

Affected Version(s)

SureTriggers <= 1.0.82

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-27007-OttoKit-exploit
Created by absholi7ly

News Articles

favicon imageThe Hacker News

OttoKit WordPress Plugin with 100K+ Installs Hit by Exploits Targeting Multiple Flaws

CVE-2025-27007 exploited in OttoKit WordPress plugin before v1.0.83 enables admin creation without authentication.

References

https://patchstack.com/database/wordpress/plugin/suretrig...
vdb-entry
https://patchstack.com/articles/additional-critical-ottok...
third-party-advisorytechnical-description

EPSS Score

78% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by The Hacker News

  • Vulnerability published

  • Vulnerability Reserved

Credit

Denver Jackson (Patchstack Alliance)
.
CVE-2025-27007 : Privilege Escalation Vulnerability in SureTriggers by Brainstorm Force