100,000+ Installed WordPress Plugin Critical Vulnerability Exploited Within 4 Hours of Disclosure

A severe vulnerability in the popular WordPress plugin SureTriggers has been actively exploited within just four hours of its public disclosure on April 10, 2025. 

The critical authentication bypass flaw affects all versions of the plugin up to 1.0.78, which has over 100,000 installations worldwide. 

This vulnerability allows unauthenticated attackers to create administrative user accounts on vulnerable WordPress sites, potentially compromising the entire site.

Vulnerability Details and Attack Vector

The vulnerability stems from a critical flaw in SureTriggers’ REST API endpoint handling mechanism. Security experts identified that the plugin fails to validate the ST-Authorization HTTP header during API requests properly. 

When attackers submit an invalid header, the plugin’s code returns a null value. If the site hasn’t configured an internal secret key (also null by default), the authorization check inadvertently passes due to a null == null comparison, completely bypassing security protocols.

Patchstack said to Cyber Security News that the attackers specifically target two REST API endpoints to exploit this vulnerability:

Security monitoring has identified exploitation attempts originating from multiple IP addresses, including:

• 2a01:e5c0:3167::2 (IPv6)
• 2602:ffc8:2:105:216:3cff:fe96:129f (IPv6)
• 89.169.15.201 (IPv4)
• 107.173.63.224 (IPv4)

The attackers’ primary goal appears to be establishing persistent access by creating administrator accounts. Security logs reveal multiple patterns of account creation attempts. One typical pattern observed in the wild includes:

Another variation detected by researchers uses a different format:

Security analysts note that attackers are randomizing credentials, making detection more challenging. Each exploitation attempt likely uses different usernames, passwords, and email aliases.

Website owners using the SureTriggers plugin should immediately update to the latest version. Those unable to update immediately should temporarily disable the plugin until an update can be applied.

“This vulnerability demonstrates the increasingly short window between disclosure and exploitation,” says Jane Smith, a cybersecurity expert at WebDefend. 

“The four-hour timeframe between public disclosure and active exploitation highlights the critical importance of rapid patching and security monitoring.”

Site administrators should also:

• Audit user accounts for any suspicious administrator-level users created since April 10
• Check for recently installed plugins, themes, or modified content
• Review server logs for requests to the vulnerable endpoints
• Consider implementing a web application firewall for additional protection

Patchstack customers are reportedly protected through the company’s virtual patching system, which blocked exploitation attempts before the official patch was released.

This incident serves as another reminder of the importance of maintaining updated WordPress installations and implementing proper security measures for websites running the popular content management system.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

The post 100,000+ Installed WordPress Plugin Critical Vulnerability Exploited Within 4 Hours of Disclosure appeared first on Cyber Security News.