Rogue Account‑Creation Flaw Leaves 100 K WordPress Sites Exposed

A severe vulnerability has been uncovered in the SureTriggers WordPress plugin, which could leave over 100,000 websites at risk.

The issue, discovered by security researcher mikemyers, allows attackers to create rogue administrative users on sites where the plugin is not properly configured.

Vulnerability Details

This critical flaw, registered as CVE-2025-3102, is rooted in the plugin’s autheticate_user function within the RestController class.

– Advertisement –

The function checks if the secret_key submitted in the HTTP header matches the one stored within the plugin settings.

However, the function fails to check if the secret_key is empty, meaning that if no API key has been set, the function will return true regardless, effectively bypassing authentication.

The affected endpoint /wp-json/suretriggers/automation/action becomes a gateway for attackers to execute arbitrary actions, including creating new administrative users, if the site owner has not set an API key in the plugin’s configuration.

This vulnerability was only present in unconfigured or newly installed versions of SureTriggers, up to and including version 1.0.78.

Technical Insight

The SureTriggers plugin aims to streamline the automation of tasks across different web platforms and applications.

It includes a REST API endpoint designed for integrating with external services.

The endpoint’s security relies on the permission_callback hook which calls the autheticate_user function. Here’s the problematic function:

public function autheticate_user( $request ) {
    $secret_key       = $request->get_header( 'st_authorization' );
    list($secret_key) = sscanf( $secret_key, 'Bearer %s' );

    if ( $this->secret_key !== $secret_key ) {
        return false;
    }

    return true;
}

This function checks the secret_key from the request against the internal key.

However, if the plugin hasn’t been configured with an API key, this->secret_key will be empty, allowing the condition to pass regardless of what is sent by the attacker.

The discovery was promptly reported to the Wordfence Bug Bounty Program on March 13, 2025, leading to a coordinated response:

• April 1, 2025: Wordfence Premium, Care, and Response users were protected by a firewall rule against potential exploits of this vulnerability.
• April 3, 2025: The vulnerability details were forwarded to the SureTriggers plugin developer, Brainstorm Force, who acknowledged the issue and worked on a fix.
• April 3, 2025: The patched version, 1.0.79, was released to address the vulnerability.
• May 1, 2025: Wordfence free users received the same firewall protection.

WordPress site owners who use SureTriggers should update their plugin to version 1.0.79 as soon as possible to mitigate this risk.

This incident highlights the importance of proper configuration of security features in plugins and the ongoing battle to secure the WordPress ecosystem against potential threats.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!