Critical WordPress Plugin with 100K+ Installs Exploited Just 4 Hours After Disclosure

WordPress SureTriggers Plugin Vulnerability: Critical Flaw Exposes Over 100,000 Sites to Admin Takeover

A critical security vulnerability in the popular WordPress plugin SureTriggers (also known as OttoKit), affecting versions 1.0.78 and below, has put more than 100,000 websites at risk of complete compromise.

The flaw, officially tracked as CVE-2025-3102 with a CVSS score of 8.1, allows unauthenticated attackers to create administrative user accounts, granting them full control over vulnerable sites.

Technical Details: The Heart of the Flaw

SureTriggers is designed to automate workflows by connecting WordPress with external services and plugins.

The vulnerability lies in the plugin’s REST API endpoint handling, specifically within the autheticate_user() function of the RestController class.

This function is responsible for validating API requests using a secret key provided in the ST-Authorization HTTP header.

The core issue is a missing empty value check. If the plugin is installed and activated but not configured with an API key—a common scenario for new installations—the secret_key in the database remains empty (null).

When an attacker sends a request with an empty or invalid ST-Authorization header, the plugin’s code compares the null value from the header with the null value in the database.

Due to the logic null == null, the authorization check passes, inadvertently granting access to sensitive REST API functions.

Exploitation in the Wild: Rapid and Widespread

According to the report, exploitation attempts began within just four hours of the vulnerability’s public disclosure on April 10, 2025.

Attackers have been observed targeting the following API endpoints:

• /?rest_route=/wp-json/sure-triggers/v1/automation/action
• /wp-json/sure-triggers/v1/automation/action

Attackers use these endpoints to create new administrator accounts with randomized credentials. Examples of payloads observed include:

json{
  "show_password": "yes",
  "role": "administrator",
  "password": "4bebb262e22",
  "user_name": "xtw1838783bc",
  "user_email": "xtw18387+83bc@outlook.com"
}

and

json{
  "user_email": "test@test.cc",
  "user_name": "test123123",
  "password": "TESTtest123!@#",
  "first_name": "tes",
  "last_name": "est",
  "role": "administrator"
}

Attackers have launched these exploits from both IPv4 and IPv6 addresses, including 2a01:e5c0:3167::2, 2602:ffc8:2:105:216:3cff:fe96:129f, 89.169.15.201, and 107.173.63.224.

• Potential Impact: Full Site Takeover

Once administrative access is gained, attackers can:

• Upload malicious plug-ins or themes (potentially containing backdoors)
• Modify posts and pages to inject spam or redirect users to phishing sites
• Install additional malware or exfiltrate sensitive data

The vulnerability does not require the attacker to be logged in or have any prior access—only that the plugin is installed, activated, and unconfigured with an API key.

Mitigation and Recommendations

• Immediate Update: All users of SureTriggers/OttoKit should update to version 1.0.79 or later, which patches the vulnerability.
• Audit for IOCs: Administrators should check for unauthorized admin accounts, recently installed plugins/themes, and any unexpected content modifications.
• Patchstack Protection: Customers using Patchstack’s vPatch are already protected and require no further action.

The SureTriggers vulnerability underscores the importance of secure default configurations and rapid patching in the WordPress ecosystem.

Administrators are urged to act swiftly to prevent site compromise, as exploitation is ongoing and automated.

Even inactive but installed versions of the plugin remain exploitable, making prompt updates and thorough audits essential for all affected sites.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post Critical WordPress Plugin with 100K+ Installs Exploited Just 4 Hours After Disclosure appeared first on Cyber Security News.