CVE-2026-49781

OttoKit: All-in-One Automation Platform <= 1.1.27 - Unauthenticated PHP Object Injection

highDeserialization of Untrusted Data
8.1
CVSS Score
8.1
CVSS Score
high
Severity
1.1.28
Patched in
5d
Time to patch

Description

The OttoKit: All-in-One Automation Platform plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.1.27 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.1.27
PublishedJune 4, 2026
Last updatedJune 8, 2026
Affected pluginsuretriggers

What Changed in the Fix

Changes introduced in v1.1.28

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan targets **CVE-2026-49781**, a PHP Object Injection vulnerability in the **OttoKit: All-in-One Automation Platform** plugin. ### 1. Vulnerability Summary The OttoKit plugin (formerly SureTriggers) uses a "Bridge" mechanism to communicate with its SaaS platform. In versions up to a…

Show full research plan

This research plan targets CVE-2026-49781, a PHP Object Injection vulnerability in the OttoKit: All-in-One Automation Platform plugin.

1. Vulnerability Summary

The OttoKit plugin (formerly SureTriggers) uses a "Bridge" mechanism to communicate with its SaaS platform. In versions up to and including 1.1.27, the plugin exposes a REST API endpoint that accepts a base64-encoded serialized string via the data parameter. Because this input is passed directly to unserialize() without sufficient authentication or validation during certain states (e.g., before the site is fully connected or via flaws in the signature check), an unauthenticated attacker can inject arbitrary PHP objects.

2. Attack Vector Analysis

  • Endpoint: POST /wp-json/suretriggers/v1/bridge
  • Alternative Endpoint: admin-ajax.php?action=handle_trigger_button_click (via shortcode-generated forms).
  • Vulnerable Parameter: data (Body or Query string depending on the handler).
  • Authentication: Unauthenticated.
  • Preconditions: The plugin must be active. The vulnerability is most accessible if the plugin has not yet been "paired" with the OttoKit SaaS, or if the signature verification can be bypassed.

3. Code Flow

  1. Entry Point: The plugin registers REST routes in SureTriggers\Controllers\RestController (referenced in src/Controllers/WebhookRequestsController.php).
  2. Route Registration: The route /suretriggers/v1/bridge is registered with a permission_callback that may return true or fail to validate signatures when the site is in a "disconnected" state.
  3. The Sink: The bridge method in RestController processes the request:
    // Logical flow inside RestController::bridge
    public function bridge( $request ) {
        $data = $request->get_param( 'data' ); // User controlled input
        if ( ! empty( $data ) ) {
            $payload = unserialize( base
    

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.