A significant security flaw has been identified in the SureTriggers WordPress plugin, potentially compromising over 100,000 websites by allowing unauthorized creation of administrator accounts. This vulnerability, designated as CVE-2025-3102 with a CVSS score of 8.1 (High), affects all versions up to and including 1.0.78.
Understanding the Vulnerability
The core issue lies in the plugin’s REST API endpoint handling, specifically within the `autheticate_user()` function. This function is responsible for permission checks but fails to properly validate empty secret key values. Consequently, if both the plugin’s configured secret key and the attacker-supplied key are empty, the function erroneously grants access to the REST API endpoint. This oversight enables attackers to create administrator accounts without authentication, leading to potential full site compromise.
Potential Consequences
Once administrative access is obtained, malicious actors can:
– Upload backdoors to maintain persistent access.
– Inject malware that could harm visitors or the site’s functionality.
– Redirect users to phishing sites, compromising user data.
– Insert spam content, damaging the site’s reputation and SEO rankings.
Discovery and Response
The vulnerability was discovered on March 13, 2025, by security researcher mikemyers through Wordfence’s Bug Bounty Program, earning a $1,024 bounty. Following responsible disclosure, the plugin’s developer, Brainstorm Force, released a patched version (1.0.79) on April 3, 2025.
Technical Analysis
The flaw resides in the `autheticate_user()` function:
“`php
public function autheticate_user($request) {
$secret_key = $request->get_header(‘st_authorization’);
list($secret_key) = sscanf($secret_key, ‘Bearer %s’);
if ($this->secret_key !== $secret_key) {
return false;
}
return true;
}
“`
The function compares the secret key from the request header with the configured secret key but does not check for empty values. If both are empty, the condition evaluates to true, granting unauthorized access.
Mitigation Steps
WordPress site administrators using the SureTriggers plugin should:
1. Update Immediately: Upgrade to version 1.0.79 or later to patch the vulnerability.
2. Review User Accounts: Check for any unauthorized administrator accounts and remove them.
3. Monitor Site Activity: Implement logging to detect unusual activities or unauthorized access attempts.
4. Enhance Security Measures: Utilize security plugins and firewalls to add additional layers of protection.
Conclusion
This vulnerability underscores the importance of regular updates and vigilant security practices for WordPress site administrators. By promptly updating plugins and monitoring site activity, administrators can mitigate risks associated with such vulnerabilities.
