SureTriggers Vulnerability Exposes 100,000+ WordPress Sites to Admin Takeover

A critical vulnerability in the popular WordPress automation plugin SureTriggers has exposed over 100,000 sites to the risk of unauthenticated administrative account creation, potentially allowing full site takeover. The vulnerability, tracked as CVE-2025-3102 with a CVSS score of 8.1, was responsibly disclosed by security researcher mikemyers through the Wordfence Bug Bounty Program.

“This vulnerability can be leveraged by attackers to create malicious administrator users when the plugin is not configured with an API key,” Wordfence reports.

SureTriggers is a widely-used automation tool that connects WordPress with external apps and other plugins to streamline workflows. It allows users to automate actions like creating posts, sending emails, or updating data when certain triggers occur. However, its power comes with risk — especially when installed but not properly configured.

At the heart of the issue is a flaw in the plugin’s authentication mechanism within the authenticate_user() function. This function was designed to verify access to the plugin’s REST API endpoint, which processes automation commands.

The plugin checks the provided secret_key against the configured value in the database. However, it fails to validate whether the secret key is empty — meaning that if both the plugin and the attacker send blank secret keys, the check passes.

“If the attacker specifies an empty value for the secret key and the plugin is not configured… the attacker can access the REST API endpoint and perform various types of actions, including adding a new administrator user.”

This effectively allows attackers to send requests that impersonate privileged automation actions — such as creating new admin accounts — without any authentication, but only when the plugin hasn’t been fully set up with a valid API key.

Attackers exploiting this flaw can:

• Create administrative accounts
• Upload malicious themes or plugins
• Inject spam or redirect site visitors
• Establish persistent backdoors

“As with any Administrative User Creation vulnerability, this can be used for complete site compromise.”

We strongly recommend the following steps:

1. Update Immediately
   Upgrade to SureTriggers version 1.0.79 or later, which patches the vulnerability.
2. Check for Rogue Admins
   Review your WordPress user list for any unfamiliar accounts with admin privileges.
3. Secure All Plugin Configurations
   Ensure that all API-driven plugins have their keys configured and stored securely.

Update:

According to Patchstack, attackers were swift in leveraging this vulnerability, with the first recorded exploitation attempt occurring just four hours after it was added as a virtual patch (vPatch).

To date, the observed exploitation attempts have originated from the following IP addresses:

• 2a01:e5c0:3167::2 (IPv6)
• 89.169.15.201 (IPv4)

The following endpoints have been used to facilitate the exploitation:

• /?rest_route=/wp-json/sure-triggers/v1/automation/action
• /wp-json/sure-triggers/v1/automation/action

During these attacks, adversaries attempted to create administrator-level user accounts using the following parameters:

"show_password": "yes",
"role": "administrator",
"password": "4bebb262e22",
"user_name": "xtw1838783bc",
"user_email": "xtw18387+83bc@outlook.com"

Related Posts:

• HTTP Client Tools Weaponized in Account Takeover Attacks
• WordPress Issues Urgent Security Update to Patch Multiple Vulnerabilities
• CVE-2024-9636: Popular WordPress Plugin ComboBlocks Exposes Thousands of Sites to Complete Takeover

About The Author

Ddos

Ddos is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.

See author's posts