A recently uncovered SureTriggers vulnerability has put more than 100,000 websites at risk, highlighting once again how critical plugin security is for WordPress site administrators. The vulnerability, officially identified as CVE-2025-3102, has a CVSS score of 8.1, placing it in the high-severity category. This flaw allows unauthorized users to create administrator accounts under specific conditions, potentially giving attackers full control over affected websites.
SureTriggers—an automation platform designed to link various web apps, services, and WordPress plugins—was recently rebranded from OttoKit. While it’s widely used for streamlining online workflows, this WordPress plugin vulnerability has become a major point of concern in the cybersecurity community.
SureTriggers Vulnerability: Under Active Exploitation Hours After Disclosure
According to Wordfence Intelligence, the flaw began seeing active exploitation just hours after it was publicly disclosed. The vulnerability is an authorization bypass due to a missing empty value check in the plugin’s authenticate_user() function. This oversight can be exploited by an attacker if the plugin is installed and activated but not configured with an API key—something that’s unfortunately common with newly deployed plugins.
Security researcher mikemyers was credited with discovering the issue, which earned a bug bounty of $1,024. The vulnerability affects all versions of SureTriggers up to version 1.0.78. Users are strongly advised to update to the fully patched version, 1.0.79, to protect their sites.
A Closer Look at the Vulnerability in SureTriggers
The root cause of the issue lies in the plugin’s use of the autheticate_user() function within the RestController class. This function is meant to validate API requests using a secret key found in the request header. However, the implementation fails to check for empty values. If a website hasn’t been configured with an API key, this check will return true even when the attacker provides a blank secret key, giving them access to the REST API endpoints.
This critical oversight means that attackers can bypass authentication entirely and trigger automated actions—one of which includes creating a new administrator user. As a result, vulnerabilities in WordPress plugins like this one can lead to total site takeover.
Full Site Compromise a Real Threat
Once administrative access is gained, attackers have free rein over the site. This includes uploading malicious themes or plugins, injecting spam or malware into posts and pages, or redirecting users to external malicious sites. The ramifications are far-reaching, from SEO damage to compromised customer data.
The vulnerability in SureTriggers is especially concerning because it doesn’t require the attacker to already be logged in or have any kind of prior access. The only requirement is that the site is running a vulnerable, unconfigured version of the plugin. This type of SureTriggers vulnerability is a textbook example of why secure default configurations are vital for plugin developers.
Conclusion
The SureTriggers vulnerability highlights the importance of proactive site security and timely updates in the WordPress ecosystem. Security experts, including those at Wordfence, strongly recommend that all users update to version 1.0.79 or later—even if the plugin is inactive but still installed—as unpatched versions remain exploitable. Administrators should also check for unauthorized admin accounts and thoroughly audit plugin settings. Compounding the risk, this flaw could be chained with other vulnerabilities, such as arbitrary plugin installation, making even dormant installations a potential entry point.
