CVE-2025-3102
published 2025-04-10CVE-2025-3102: The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due…
PriorityP187high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
76.20%
99.5th percentile
The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| brainstormforce | ottokit_all-in-one_automation_platform | <= 1.0.78 | — |
Detection & IOCsextracted from sources · hover to see the quote
command{"integration": "WordPress", "type_event": "create_user_if_not_exists", "selected_options": {"user_email": "{{email}}", "user_name": "{{username}}", "password": "{{password}}"}, "fields": [], "context": {}}↗
- →Detect exploitation attempts by monitoring for POST requests to the REST API endpoint /wp-json/sure-triggers/v1/automation/action (or its ?rest_route= equivalent) with an empty or missing st_authorization header. ↗
- →Look for the payload field "type_event": "create_user_if_not_exists" in POST bodies to /wp-json/sure-triggers/v1/automation/action as a strong indicator of exploitation. ↗
- →Threat actors use randomized usernames, passwords, and email addresses when creating rogue admin accounts — check WordPress user logs for newly created administrator accounts with random-looking credentials. ↗
- →Check for successful exploitation by looking for HTTP 200 responses containing both '"success":true' and '"user_registered":' in the response body from the automation action endpoint. ↗
- →Review WordPress logs for unexpected admin account creation, new plugin/theme installations, database access events, and modification of security settings as post-exploitation indicators. ↗
- ·The vulnerability is only exploitable when the OttoKit/SureTriggers plugin is installed and activated BUT has NOT been configured with an API key — sites with a configured API key are not vulnerable because the stored secret_key will not be empty. ↗
- ·The vulnerability affects all versions of SureTriggers/OttoKit up to and including 1.0.78; version 1.0.79 contains the fix. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rp6h-6758-g8ch: The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account crea
ghsa_unreviewed·2025-04-10
CVE-2025-3102 [HIGH] CWE-697 GHSA-rp6h-6758-g8ch: The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account crea
The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.
VulnCheck
Incorrect Comparison
vulncheck·2025·CVSS 8.1
CVE-2025-3102 [HIGH] Incorrect Comparison
Incorrect Comparison
The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.
Affected: SureTriggers All-in-One Automation Platform Plugin for WordPress
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wor
No detection rules found.
Nuclei
SureTriggers – All-in-One Automation Platform ≤ 1.0.78 - Authentication Bypass
nuclei·CVSS 8.1
CVE-2025-3102 [HIGH] SureTriggers – All-in-One Automation Platform ≤ 1.0.78 - Authentication Bypass
SureTriggers – All-in-One Automation Platform ≤ 1.0.78 - Authentication Bypass
The SureTriggers- All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.
Template:
id: CVE-2025-3102
info:
name: SureTriggers – All-in-One Automation Platform ≤ 1.0.78 - Authentication Bypass
author: DhiyaneshDK
severity: high
description: |
The SureTriggers- All-in-One Automation Platform plugin for Word
Metasploit
WordPress SureTriggers (aka OttoKit) Combined Auth Bypass (CVE-2025-3102, CVE-2025-27007)
metasploit·CVSS 8.1
CVE-2025-3102 [HIGH] WordPress SureTriggers (aka OttoKit) Combined Auth Bypass (CVE-2025-3102, CVE-2025-27007)
WordPress SureTriggers (aka OttoKit) Combined Auth Bypass (CVE-2025-3102, CVE-2025-27007)
Exploits two distinct authorization bypasses in SureTriggers/OttoKit plugin: - CVE-2025-3102: admin creation via St-Authorization Bearer (empty) - CVE-2025-27007: reset access key via connection endpoint & admin creation with Bearer header
Bleepingcomputer
Hackers exploit OttoKit WordPress plugin flaw to add admin accounts
blogs_bleepingcomputer·2025-05-07
Hackers exploit OttoKit WordPress plugin flaw to add admin accounts
## Hackers exploit OttoKit WordPress plugin flaw to add admin accounts
## Bill Toulas
Hackers are exploiting a critical unauthenticated privilege escalation vulnerability in the OttoKit WordPress plugin to create rogue admin accounts on targeted sites.
OttoKit (formerly SureTriggers) is a WordPress automation and integration plugin used in over 100,000 sites, allowing users to connect their websites to third-party services and automate workflows.
Patchstack received a report about a critical vulnerability in OttoKit on April 11, 2025, from researcher Denver Jackson.
The flaw, tracked under the identifier CVE-2025-27007, allows attackers to gain administrator access via the plugin's API by exploiting a logic error in the 'create_wp_connection' function, bypassing authentication checks
Bleepingcomputer
Hackers exploit WordPress plugin auth bypass hours after disclosure
blogs_bleepingcomputer·2025-04-10·CVSS 8.1
[HIGH] Hackers exploit WordPress plugin auth bypass hours after disclosure
## Hackers exploit WordPress plugin auth bypass hours after disclosure
## Bill Toulas
Hackers started exploiting a high-severity flaw that allows bypassing authentication in the OttoKit (formerly SureTriggers) plugin for WordPress just hours after public disclosure.
Users are strongly recommended to upgrade to the latest version of OttoKit/SureTriggers, currently 1.0.79, released at the beginning of the month.
The OttoKit WordPress plugin allows users to connect plugins and external tools like WooCommerce, Mailchimp, and Google Sheets, automate tasks like sending emails and adding users, or updating CRMs without code. Statistics show that the product is active on 100,000 websites.
Yesterday, Wordfence disclosed an authentication bypass vulnerability in OttoKit, identified as CVE-2025-
https://plugins.trac.wordpress.org/browser/suretriggers/trunk/src/Controllers/RestController.php#L59https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3266499%40suretriggers%2Ftrunk&old=3264905%40suretriggers%2Ftrunk&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/ec017311-f150-4a14-a4b4-b5634f574e2b?source=cve
2025-04-10
Published
Exploited in the wild