Skip to main content

OttoKit EUVD-2026-36898

| CVE-2026-49781 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-15 Patchstack GHSA-pf55-gh7m-56fg
PHP Deserialization Ottokit
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated network-reachable PHP object injection with no user interaction; deserialization gadget chains routinely yield full code execution, giving C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:27 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions.

AnalysisAI

Unauthenticated PHP Object Injection in the OttoKit WordPress plugin (formerly SureTriggers) versions 1.1.27 and earlier allows remote attackers to deserialize attacker-controlled PHP objects against any site running the plugin. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and a CWE-502 deserialization root cause, successful exploitation can lead to full code execution, data theft, or site takeover when a suitable POP gadget chain is present in WordPress core or another installed plugin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running OttoKit ≤ 1.1.27
Delivery
Send unauthenticated request with serialized PHP payload
Exploit
Plugin unserialize() instantiates attacker objects
Execution
POP gadget chain triggers on magic methods
Persist
Write webshell or exfiltrate wp-config
Impact
Full site and database takeover
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the target WordPress site has the OttoKit (SureTriggers) plugin installed and activated at version 1.1.27 or earlier, and that the vulnerable endpoint is reachable over the network - no authentication and no user interaction are needed (CVSS PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All signals point to high real-world risk: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H describes a network-reachable, low-complexity, unauthenticated bug with full CIA impact, and CWE-502 in PHP is a well-understood, automatable bug class. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans the internet for WordPress sites exposing OttoKit ≤ 1.1.27 endpoints, then sends an unauthenticated HTTP request containing a crafted serialized PHP payload targeting a known POP gadget chain in WordPress core or a co-installed plugin. When the plugin deserializes the payload, the gadget chain executes - typically writing a PHP webshell to the uploads directory or exfiltrating wp-config.php database credentials, leading to full site takeover. …
Remediation Upstream fix available per Patchstack advisory; a released patched version is not independently confirmed from the supplied input, so administrators should upgrade OttoKit to the latest version above 1.1.27 published by Brainstorm Force and verify the installed version under wp-admin → Plugins. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Audit all WordPress installations for OttoKit (formerly SureTriggers) plugin presence and immediately deactivate and remove all versions up to 1.1.27 from production systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

EUVD-2026-36898 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy