FlagThis

A critical security vulnerability, identified as CVE-2025-3102, has been discovered in the SureTriggers WordPress plugin, a widely used automation tool active on over 100,000 websites. The flaw allows attackers to bypass authentication and create administrator accounts, potentially leading to complete site takeover. Security researchers disclosed that the vulnerability stems from a missing empty value check in the plugin's `authenticate_user()` function, specifically affecting versions up to 1.0.78.

This vulnerability is particularly dangerous when the SureTriggers plugin is installed but not yet configured with a valid API key. In this state, an attacker can send requests with a blank secret key, tricking the plugin into granting access to sensitive REST API functions, including the ability to create new admin accounts. Exploiting this flaw could enable malicious actors to upload malicious themes or plugins, inject spam, redirect site visitors, and establish persistent backdoors, ultimately gaining full control of the affected WordPress site.

WordPress site owners are strongly urged to immediately update to SureTriggers version 1.0.79, which includes a patch for the vulnerability. Users should also review their WordPress user lists for any unfamiliar administrator accounts and ensure that all API-driven plugins have their keys properly configured and stored securely. Within hours of the public disclosure, hackers began actively exploiting the flaw, creating bogus administrator accounts. The attack attempts have originated from two different IP addresses - 2a01:e5c0:3167::2 (IPv6) 89.169.15.201 (IPv4).

ImgSrc: securityonline.

References :

• securityonline.info: SureTriggers Vulnerability Exposes 100,000+ WordPress Sites to Admin Takeover
• BleepingComputer: Hackers started exploiting a high-severity flaw that allows bypassing authentication in the OttoKit (formerly SureTriggers) plugin for WordPress just hours after public disclosure.
• thecyberexpress.com: 100,000+ WordPress Sites at Risk as SureTriggers Exploit Goes Live
• bsky.app: Bsky post on Hackers exploit WordPress plugin auth bypass hours after disclosure
• www.scworld.com: Immediate exploitation of high-severity WordPress plugin flaw reported
• securityonline.info: SureTriggers Vulnerability Exposes 100,000+ WordPress Sites to Admin Takeover
• gbhackers.com: GBHackers article on WordPress Plugin Rogue Account‑Creation Flaw Leaves 100 K WordPress Sites Exposed.
• Cyber Security News: Rogue User‑Creation Bug Exposes 100,000 WordPress Sites to Takeover
• thehackernews.com: OttoKit WordPress Plugin Admin Creation Vulnerability Under Active Exploitation
• gbhackers.com: A severe vulnerability has been uncovered in the SureTriggers WordPress plugin, which could leave over 100,000 websites at risk. The issue, discovered by security researcher mikemyers, allows attackers to create rogue administrative users on sites where the plugin is not properly configured.
• securityaffairs.com: Attackers are exploiting recently disclosed OttoKit WordPress plugin flaw
• ciso2ciso.com: Attackers are actively exploiting a vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin, with many websites potentially exposed to complete compromise.
• Security Risk Advisors: Critical Authentication Bypass in WordPress SureTriggers Plugin Leads to Admin Account Creation

Classification:

• HashTags: #WordPress #Vulnerability #Exploit
• Company: SureTriggers
• Target: WordPress Sites
• Product: SureTriggers
• Feature: Privilege Escalation
• Type: Vulnerability
• Severity: Critical