Threat Actors exploit WordPress Plugin Auth Bypass Hours after Disclosure.
Identified as [CVE-2025-3102], the flaw impacts all versions of SureTriggers/OttoKit up to 1.0.78. Users are strongly recommended to upgrade to the latest version of OttoKit/SureTriggers [currently 1.0.79].
https://www.wordfence.com/blog/2025/04/100000-wordpress-sites-affected-by-administrative-user-creation-vulnerability-in-suretriggers-wordpress-plugin/
#wordpress #it #security #privacy #engineer #media #tech #news
![[ImageSource: Wordfence]
The vulnerable Code.
The flaw stems from a missing empty value check in the authenticate_user() function, which handles REST API authentication. Exploitation to be possible if the plugin is not configured with an API key, which causes the stored secret_key to remain empty.
An attacker could exploit this by sending an empty st_authorization header to pass the check and grant unauthorized access to protected API endpoints. Essentially, CVE-2025-3102 allows attackers to create new administrator accounts without authentication, posing a high risk of full site takeover.
Wordfence received a report about the flaw from security researcher [Mikemyers], who earned a bounty of $1,024 for the discovery in mid-March. The plugin vendor was contacted on April 3 with the full exploitation details, and they released a fix via version 1.0.79 on the same day.
However, threat actors quickly jumped at the opportunity to exploit the issue, taking advantage of administrator‘s delay in updating the plugin to address the security problem.
⚠️If you’re using OttoKit/SureTriggers, upgrade to version 1.0.79 as soon as possible and check logs for unexpected admin accounts or other user roles, installation of plugins/themes, database access events and modification of security settings.⚠️](https://friendica-leipzig.de/photo/preview/600/960011 "[ImageSource: Wordfence]
The vulnerable Code.
The flaw stems from a missing empty value check in the authenticate_user() function, which handles REST API authentication. Exploitation to be possible if the plugin is not configured with an API key, which causes the stored secret_key to remain empty.
An attacker could exploit this by sending an empty st_authorization header to pass the check and grant unauthorized access to protected API endpoints. Essentially, CVE-2025-3102 allows attackers to create new administrator accounts without authentication, posing a high risk of full site takeover.
Wordfence received a report about the flaw from security researcher [Mikemyers], who earned a bounty of $1,024 for the discovery in mid-March. The plugin vendor was contacted on April 3 with the full exploitation details, and they released a fix via version 1.0.79 on the same day.
However, threat actors quickly jumped at the opportunity to exploit the issue, taking advantage of administrator‘s delay in updating the plugin to address the security problem.
⚠️If you’re using OttoKit/SureTriggers, upgrade to version 1.0.79 as soon as possible and check logs for unexpected admin accounts or other user roles, installation of plugins/themes, database access events and modification of security settings.⚠️")
Identified as [CVE-2025-3102], the flaw impacts all versions of SureTriggers/OttoKit up to 1.0.78. Users are strongly recommended to upgrade to the latest version of OttoKit/SureTriggers [currently 1.0.79].
https://www.wordfence.com/blog/2025/04/100000-wordpress-sites-affected-by-administrative-user-creation-vulnerability-in-suretriggers-wordpress-plugin/
#wordpress #it #security #privacy #engineer #media #tech #news
![[ImageSource: Wordfence]
The vulnerable Code.
The flaw stems from a missing empty value check in the authenticate_user() function, which handles REST API authentication. Exploitation to be possible if the plugin is not configured with an API key, which causes the stored secret_key to remain empty.
An attacker could exploit this by sending an empty st_authorization header to pass the check and grant unauthorized access to protected API endpoints. Essentially, CVE-2025-3102 allows attackers to create new administrator accounts without authentication, posing a high risk of full site takeover.
Wordfence received a report about the flaw from security researcher [Mikemyers], who earned a bounty of $1,024 for the discovery in mid-March. The plugin vendor was contacted on April 3 with the full exploitation details, and they released a fix via version 1.0.79 on the same day.
However, threat actors quickly jumped at the opportunity to exploit the issue, taking advantage of administrator‘s delay in updating the plugin to address the security problem.
⚠️If you’re using OttoKit/SureTriggers, upgrade to version 1.0.79 as soon as possible and check logs for unexpected admin accounts or other user roles, installation of plugins/themes, database access events and modification of security settings.⚠️](https://nerdculture.de/system/media_attachments/files/114/393/270/374/452/490/original/448018fca7b6d017.jpeg "[ImageSource: Wordfence]
The vulnerable Code.
The flaw stems from a missing empty value check in the authenticate_user() function, which handles REST API authentication. Exploitation to be possible if the plugin is not configured with an API key, which causes the stored secret_key to remain empty.
An attacker could exploit this by sending an empty st_authorization header to pass the check and grant unauthorized access to protected API endpoints. Essentially, CVE-2025-3102 allows attackers to create new administrator accounts without authentication, posing a high risk of full site takeover.
Wordfence received a report about the flaw from security researcher [Mikemyers], who earned a bounty of $1,024 for the discovery in mid-March. The plugin vendor was contacted on April 3 with the full exploitation details, and they released a fix via version 1.0.79 on the same day.
However, threat actors quickly jumped at the opportunity to exploit the issue, taking advantage of administrator‘s delay in updating the plugin to address the security problem.
⚠️If you’re using OttoKit/SureTriggers, upgrade to version 1.0.79 as soon as possible and check logs for unexpected admin accounts or other user roles, installation of plugins/themes, database access events and modification of security settings.⚠️")
