DevOps
sysops

A critical vulnerability affecting over 100,000 WordPress websites has been discovered in the SureTriggers WordPress plugin, potentially allowing attackers to create unauthorized administrator accounts.

The flaw, identified as CVE-2025-3102 with a CVSS score of 8.1 (High), impacts all versions of the plugin up to and including 1.0.78.

The vulnerability specifically targets websites where the plugin is installed and activated but not properly configured with an API key.

The security issue stems from an authentication bypass in the plugin’s REST API endpoint handling, which fails to properly validate empty secret key values.

When exploited, attackers can leverage this oversight to create administrator accounts without authentication, leading to complete site compromise.

Once administrative access is gained, malicious actors can upload backdoors, inject malware, redirect users to phishing sites, or insert spam content throughout the affected website.

Wordfence researchers identified the vulnerability on March 13th, 2025, through their Bug Bounty Program.

Security researcher mikemyers, who discovered and responsibly reported the issue, received a $1,024 bounty for the finding. Following the discovery, Wordfence promptly notified the plugin’s developer, Brainstorm Force, who released a patched version on April 3rd, 2025.

The vulnerability’s technical nature reveals a concerning oversight in the plugin’s security architecture.

The issue exists in the autheticate_user() function, which handles permission checks for the plugin’s REST API endpoints. The function compares the secret key in the request header with the configured secret key but fails to check for empty values.

Analysis of the Vulnerability

Examining the vulnerable code reveals how the authentication bypass occurs:-

public function autheticate_user($request) {
$secret_key = $request->get_header(‘st_authorization’);
list($secret_key) = sscanf($secret_key, ‘Bearer %s’);

if ($this->secret_key !== $secret_key) {
return false;
}

return true;
}

The critical flaw is evident in the conditional statement that only compares the secret keys for inequality without verifying if either is empty.

Consequently, when both the plugin’s configured key and the attacker-supplied key are empty, the condition evaluates to true, granting the attacker access to the REST API endpoint.

Through this endpoint, attackers can execute the run_action() function to create administrator accounts without any authentication.

WordPress site administrators are strongly urged to update to version 1.0.79 immediately.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

Also Read:

0-Click RCE in the SuperNote Nomad E-ink Tablet Lets Hackers Install Rootkit & Gain Full Control

Related Posts

CISA has recently added a critical security vulnerability affecting ScienceLogic SL1 to its Known Exploited Vulnerabilities (KEV) catalog following reports…

Adobe Commerce (formerly known as Magento) is a robust e-commerce platform owned by Adobe that provides flexible and scalable solutions…

A segmentation fault vulnerability has been identified in the popular command-line text editor Vim, affecting versions before 9.1.1043.  This flaw,…