Attacks on security leak in Wordpress plug-in SureTriggers underway
The SureTriggers plug-in is installed on 100,000 Wordpress instances. Attacks are launched shortly after a security leak becomes known.
(Image: Erstellt mit KI in Bing Creator von heise online / dmk)
A security vulnerability was discovered in the Wordpress plug-in SureTriggers over the weekend. The plug-in is installed on more than 100,000 Wordpress instances. Attackers are already actively abusing the vulnerability.
The IT researchers at Patchstack discovered attacks on the WordPress plug-in shortly after the vulnerability became known last Friday. On Friday, the IT security company Wordfence published details of the vulnerability in SureTriggers. According to this, attackers can create administrative user accounts from the network without prior authentication. If no API key is set up in the SureTriggers plug-in, attackers can add administrator users and thus completely compromise Wordpress instances (CVE-2025-3102, CVSS 8.1. risk"high").
Vulnerability abused in the wild
Only a few hours after publication, Patchstack observed attacks. The vulnerability therefore poses a significant risk for WordPress users who have not solved the problem with an update or other countermeasures.
The IT researchers have so far identified four original addresses in the attacks. These have attacked the URLs and REST API endpoints "/?rest_route=/wp-json/sure-triggers/v1/automation/action" and "/wp-json/sure-triggers/v1/automation/action". They have created new administrative accounts. The account names are randomly thrown together. They appear to be chosen individually for each attack.
To close the security leak, the developers of the SureTrigger plug-in have released version 1.0.79. Anyone using the plug-in should ensure that the latest version is already active. If necessary, plug-in users should also check whether new or unknown accounts exist in their WordPress instance.
(dmk)
