📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.
On March 13th, 2025, we received a submission for an Unauthenticated Administrative User Creation vulnerability in SureTriggers, a WordPress plugin with more than 100,000 active installations. This vulnerability can be leveraged by attackers to create malicious administrator users when the plugin is not configured with an API key.
Props to mikemyers who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $1,024.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on April 1, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on May 1, 2025.
We contacted the Brainstorm Force team on April 3, 2025, and received a response on the same day. After providing full disclosure details, the developer released the patch on the same day, April 3, 2025. We would like to commend the Brainstorm Force team for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of SureTriggers, version 1.0.79 at the time of this writing, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
Affected Plugin: SureTriggers: All-in-One Automation Platform
Plugin Slug: suretriggers
Affected Versions: <= 1.0.78
CVE ID: CVE-2025-3102
CVSS Score: 8.1 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: mikemyers
Fully Patched Version: 1.0.79
Bounty Award: $1,024.00
The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the ‘secret_key’ value in the ‘autheticate_user’ function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.
Technical Analysis
SureTriggers is a WordPress plugin that helps create automated processes between different websites, applications, and other WordPress plugins.
Examining the code reveals that the plugin uses the run_action() function in the RestController class to handle different types of action events via the automation/action REST API endpoint.
// Execute respective integration action event. register_rest_route( SURE_TRIGGERS_REST_NAMESPACE, 'automation/action', [ 'methods' => WP_REST_Server::CREATABLE, 'callback' => [ $rest_controller_obj, 'run_action' ], 'permission_callback' => [ $rest_controller_obj, 'autheticate_user' ], ] );
public function autheticate_user( $request ) {
$secret_key = $request->get_header( 'st_authorization' );
list($secret_key) = sscanf( $secret_key, 'Bearer %s' );
if ( $this->secret_key !== $secret_key ) {
return false;
}
return true;
}
The endpoint uses the autheticate_user() function in the RestController class to perform the permission check. Unfortunately the check is incomplete because it only compares the secret key specified in the header with the secret key set in the plugin, and misses an empty value check. This means that if the attacker specifies an empty value for the secret key and the plugin is not configured (meaning the secret key value in the database is also empty), the boolean condition is true and the attacker can access the REST API endpoint and perform various types of actions, including adding a new administrator user. This makes this vulnerability exploitable only on new and unconfigured installations.
As with any Administrative User Creation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.
While we hope most site owners configure the plugin and set the API key, it is still possible some did not configure it, leaving their site vulnerable. Further, this could be combined with an arbitrary plugin installation/activation vulnerability in instances where the plugin isn’t present but another piece of software containing an arbitrary plugin installation/activation vulnerability is present.
Disclosure Timeline
March 13, 2025 – We received the submission for the Administrative User Creation vulnerability in SureTriggers via the Wordfence Bug Bounty Program.
April 1, 2025 – We validated the report and confirmed the proof-of-concept exploit.
April 1, 2025 – Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target this vulnerability.
April 3, 2025 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
April 3, 2025 – The fully patched version of the plugin, 1.0.79, was released.
May 1, 2025 – Wordfence free users received the same protection.
Conclusion
In this blog post, we detailed an Administrative User Creation vulnerability within the SureTriggers plugin affecting versions 1.0.78 and earlier. This vulnerability allows unauthenticated threat actors to create administrator accounts. The vulnerability has been addressed in version 1.0.79 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of SureTriggers as soon as possible considering the critical nature of this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on April 1, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on May 1, 2025.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
The post 100,000 WordPress Sites Affected by Administrative User Creation Vulnerability in SureTriggers WordPress Plugin appeared first on Wordfence.
