OttoKit: All-in-One Automation Platform <= 1.1.27 - Unauthenticated PHP Object Injection
Description
The OttoKit: All-in-One Automation Platform plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.1.27 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
What Changed in the Fix
Changes introduced in v1.1.28
Source Code
WordPress.org SVNThis research plan targets **CVE-2026-49781**, a PHP Object Injection vulnerability in the **OttoKit: All-in-One Automation Platform** plugin. ### 1. Vulnerability Summary The OttoKit plugin (formerly SureTriggers) uses a "Bridge" mechanism to communicate with its SaaS platform. In versions up to a…
Show full research plan
This research plan targets CVE-2026-49781, a PHP Object Injection vulnerability in the OttoKit: All-in-One Automation Platform plugin.
1. Vulnerability Summary
The OttoKit plugin (formerly SureTriggers) uses a "Bridge" mechanism to communicate with its SaaS platform. In versions up to and including 1.1.27, the plugin exposes a REST API endpoint that accepts a base64-encoded serialized string via the data parameter. Because this input is passed directly to unserialize() without sufficient authentication or validation during certain states (e.g., before the site is fully connected or via flaws in the signature check), an unauthenticated attacker can inject arbitrary PHP objects.
2. Attack Vector Analysis
- Endpoint:
POST /wp-json/suretriggers/v1/bridge - Alternative Endpoint:
admin-ajax.php?action=handle_trigger_button_click(via shortcode-generated forms). - Vulnerable Parameter:
data(Body or Query string depending on the handler). - Authentication: Unauthenticated.
- Preconditions: The plugin must be active. The vulnerability is most accessible if the plugin has not yet been "paired" with the OttoKit SaaS, or if the signature verification can be bypassed.
3. Code Flow
- Entry Point: The plugin registers REST routes in
SureTriggers\Controllers\RestController(referenced insrc/Controllers/WebhookRequestsController.php). - Route Registration: The route
/suretriggers/v1/bridgeis registered with apermission_callbackthat may returntrueor fail to validate signatures when the site is in a "disconnected" state. - The Sink: The
bridgemethod inRestControllerprocesses the request:// Logical flow inside RestController::bridge public function bridge( $request ) { $data = $request->get_param( 'data' ); // User controlled input if ( ! empty( $data ) ) { $payload = unserialize( base
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.