The second lack of security that affects Flow (Previously Suretriggers) WordPress plugin is actively operating in the wild.
The vulnerability, which is tracked as CVE-2025-27007 (CVSS: 9.8) is an escalation of privileges that affect all versions of the plugin before and turn on version 1.0.82.
“This is due to the Create_wp_connection () feature that is missing the possibility and insufficient to check the user authentication data,” – Wordfence – Note. “This allows the unauthorized attackers to establish a connection that can eventually make the escalation of privileges.”
In view of this, vulnerability is only operated in two possible scenarios –
- If the site never turned on or used the application password and Ottokit has never been connected to the web -styt using the application password
- If the attacker has authentication to the site and can generate a valid application password
Wordfence showed that it observed as the threatening subjects trying to use the initial vulnerability to connect to the site, followed by the use of the user’s administrative account through automation/action.
In addition, attempts at the same time aspire Cve-2025-3102 (CVSS assessment: 8.1), another drawback in the same plan that has also been used in the wild since last month.
This caused the fact that the participants of the threat of the conjunctural scanning installations of WordPress to find out whether they would be exposed to any of the two disadvantages. Below are the IP -Designs observed, focused on vulnerabilities below –
- 2a0b: 4141: 820: 1f4 :: 2
- 41.216.188.205
- 144.91.119.115
- 194.87.29.57
- 196.251.69.118
- 107.189.29.12
- 205.185.123.102
- 198.98.51.24
- 198.98.52.226
- 199.195.248.147
Given that the plugin has more than 100,000 active installations, it is important that users are quickly moved to apply the latest patches (version 1.0.83).
“The attackers may have begun to actively focus on this vulnerability as early as May 2, 2025 with mass operation, starting on May 4, 2025,” WordFence said.
