A critical vulnerability has been discovered in the SureTriggers: All-in-One Automation Platform plugin for WordPress, potentially exposing over 100,000 active installations to unauthorized administrative account creation attacks.
Security firm Wordfence has identified and disclosed the flaw, which allows attackers to exploit unconfigured installations of the plugin to gain administrative access and compromise targeted websites.
Vulnerability Details
The flaw, dubbed “Unauthenticated Administrative User Creation,” exists in all versions of the SureTriggers plugin up to and including version 1.0.78.
It stems from an incomplete permission check in the plugin’s autheticate_user() function within its REST API endpoint.
Specifically, the function fails to validate empty values for the secret_key, which serves as the basis for authentication.
When the plugin is not configured with an API key (e.g., immediately after installation), the secret_key in the database defaults to empty.
If an attacker specifies an empty value for the secret_key in their request, the flawed logic erroneously grants them access to sensitive REST API functions.
This includes the ability to create new administrative users, enabling attackers to take full control of the site.
From there, attackers can upload malicious plugins or themes, modify posts and pages to redirect users to phishing sites, or inject harmful content.
Notably, this vulnerability is restricted to new or improperly configured installations, requiring the plugin to remain unconfigured for exploitation.
Discovery and Response
The vulnerability was responsibly disclosed to Wordfence on March 13, 2025, by security researcher mikemyers, who earned a $1,024.00 bounty under the Wordfence Bug Bounty Program.
Following thorough validation on April 1, 2025, Wordfence implemented a firewall rule to protect Premium, Care, and Response users against any exploits targeting the flaw. Free users of Wordfence will receive protection starting May 1, 2025.
Upon notifying the plugin’s developers, Brainstorm Force, on April 3, 2025, the team responded promptly and released a patched version SureTriggers 1.0.79 on the same day.
According to the Report, Wordfence praised Brainstorm Force for their quick response and dedication to securing the WordPress ecosystem.
SureTriggers helps automate processes between websites, applications, and plugins, making it a vital tool for many administrators.
The vulnerability exploits the run_action() function, registered as part of the plugin’s REST API endpoint, which erroneously relies on the flawed autheticate_user() function for permission checks.
The autheticate_user() function uses a comparison logic between the request’s secret_key header and the stored secret_key value.
Due to the missing check for empty values, attackers can bypass authentication when both the header and stored key are set to empty.
This creates a dangerous scenario where unauthenticated users can manipulate core administrative functionalities.
While most site owners are likely to configure an API key upon installation, some may overlook this step, leaving their sites vulnerable.
Furthermore, if combined with other vulnerabilities, such as arbitrary plugin installation and activation flaws, attackers could exploit this vector even when SureTriggers is not initially installed.
WordPress site owners using SureTriggers are strongly urged to update to the latest version, 1.0.79, immediately to mitigate the risk of exploitation.
Users relying on the free Wordfence plugin can expect protective firewall rules to take effect on May 1, 2025, while Premium, Care, and Response subscribers are already protected.
The vulnerability highlights the importance of securing WordPress installations through proper configuration and timely updates.
Wordfence continues to enhance the security of the WordPress ecosystem through its defense-in-depth strategy and collaborations with researchers to uncover and neutralize vulnerabilities.
CVE Details:
- CVE ID: CVE-2025-3102
- Severity: High (CVSS Score: 8.1)
- Affected Versions: SureTriggers <= 1.0.78
- Patched Version: 1.0.79
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
