cbcvebase.
CVE-2025-3102
published 2025-04-10

CVE-2025-3102: The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due…

PriorityP187high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
76.20%
99.5th percentile
The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.

Affected

1 ranges
VendorProductVersion rangeFixed in
brainstormforceottokit_all-in-one_automation_platform<= 1.0.78

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/sure-triggers/v1/automation/action
url?rest_route=/wp-json/sure-triggers/v1/automation/action
path/wp-content/plugins/suretriggers
command{"integration": "WordPress", "type_event": "create_user_if_not_exists", "selected_options": {"user_email": "{{email}}", "user_name": "{{username}}", "password": "{{password}}"}, "fields": [], "context": {}}
otherst_authorization: (empty)
  • Detect exploitation attempts by monitoring for POST requests to the REST API endpoint /wp-json/sure-triggers/v1/automation/action (or its ?rest_route= equivalent) with an empty or missing st_authorization header.
  • Look for the payload field "type_event": "create_user_if_not_exists" in POST bodies to /wp-json/sure-triggers/v1/automation/action as a strong indicator of exploitation.
  • Threat actors use randomized usernames, passwords, and email addresses when creating rogue admin accounts — check WordPress user logs for newly created administrator accounts with random-looking credentials.
  • Check for successful exploitation by looking for HTTP 200 responses containing both '"success":true' and '"user_registered":' in the response body from the automation action endpoint.
  • Review WordPress logs for unexpected admin account creation, new plugin/theme installations, database access events, and modification of security settings as post-exploitation indicators.
  • ·The vulnerability is only exploitable when the OttoKit/SureTriggers plugin is installed and activated BUT has NOT been configured with an API key — sites with a configured API key are not vulnerable because the stored secret_key will not be empty.
  • ·The vulnerability affects all versions of SureTriggers/OttoKit up to and including 1.0.78; version 1.0.79 contains the fix.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.