Brainstorm Force OttoKit Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the Brainstorm Force OttoKit (formerly SureTriggers) WordPress plugin, affecting versions through 1.0.82. This vulnerability allows unauthenticated users to gain elevated privileges by exploiting a logic error in the plugin's handling of application password authentication. As a result, an attacker could potentially take full control of a WordPress site via the OttoKit API, including the ability to create new administrator accounts, particularly on sites where the admin has not set an application password.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling an attacker to gain administrative rights on the affected WordPress site. This could lead to full control over the site, including the creation of new administrator accounts.

Reproduction

The vulnerability can be reproduced by sending a request to the 'sure-triggers/v1/connection/create-wp-connection' REST API endpoint. The request must include the 'wp-username' parameter (with the site administrator's username) and the 'wp-password' parameter (which can be a random value). If the administrator has not set an application password, the request will be accepted, and a connection will be established, bypassing authentication requirements.

Remediation

Users of the OttoKit WordPress plugin should update to version 1.0.83 or later. Patchstack users are already protected from this vulnerability and no further action is required.