A critical vulnerability in the popular WordPress automation plugin SureTriggers has exposed over 100,000 sites to the risk of unauthenticated administrative account creation, potentially allowing full site takeover. The vulnerability, tracked as CVE-2025-3102 with a CVSS score of 8.1, was responsibly disclosed by security researcher mikemyers through the Wordfence Bug Bounty Program.
βThis vulnerability can be leveraged by attackers to create malicious administrator users when the plugin is not configured with an API key,β Wordfence reports.
SureTriggers is a widely-used automation tool that connects WordPress with external apps and other plugins to streamline workflows. It allows users to automate actions like creating posts, sending emails, or updating data when certain triggers occur. However, its power comes with risk β especially when installed but not properly configured.
At the heart of the issue is a flaw in the pluginβs authentication mechanism within the authenticate_user() function. This function was designed to verify access to the pluginβs REST API endpoint, which processes automation commands.
The plugin checks the provided secret_key against the configured value in the database. However, it fails to validate whether the secret key is empty β meaning that if both the plugin and the attacker send blank secret keys, the check passes.
βIf the attacker specifies an empty value for the secret key and the plugin is not configuredβ¦ the attacker can access the REST API endpoint and perform various types of actions, including adding a new administrator user.β
This effectively allows attackers to send requests that impersonate privileged automation actions β such as creating new admin accounts β without any authentication, but only when the plugin hasnβt been fully set up with a valid API key.
Attackers exploiting this flaw can:
Create administrative accountsUpload malicious themes or pluginsInject spam or redirect site visitorsEstablish persistent backdoorsβAs with any Administrative User Creation vulnerability, this can be used for complete site compromise.β
We strongly recommend the following steps:
Update ImmediatelyUpgrade to SureTriggers version 1.0.79 or later, which patches the vulnerability.Check for Rogue AdminsReview your WordPress user list for any unfamiliar accounts with admin privileges.Secure All Plugin ConfigurationsEnsure that all API-driven plugins have their keys configured and stored securely.