Wordpress: 100,000 instances at risk due to gap in SureTriggers plug-in

The SureTriggers plug-in is active on 100,000 WordPress instances. IT security researchers have discovered a security vulnerability in it that puts these instances at risk.

In a blog post, the IT researchers from Wordfence explain that attackers can create administrative user accounts from the network without prior authentication. If no API key is set up in the SureTriggers plug-in, attackers can add administrator users and thus completely compromise WordPress instances (CVE-2025-3102, CVSS 8.1. risk “high”).

More detailed plug-in vulnerability investigation

“The 'SureTriggers: All-in-One Automation Platform Plugin' for WordPress is vulnerable to authentication bypass, leading to the possible creation of an administrative account. The reason for this is a missing check of the 'secret_key' value in the 'autheticate_user' function in all versions up to and including 1.0.78,” Wordfence explains the vulnerability. The analysis goes even deeper and shows the vulnerable code snippets.

On Thursday of last week, the SureTriggers programmers released version 1.0.79. It closes the security gap. WordPress operators who use the SureTriggers plug-in should ensure that they use the updated version or a newer version. Attacks on the vulnerability are now at least expected.

Due to the large number of WordPress plug-ins available, there are dozens with security vulnerabilities every day. Fortunately, most of them are not widespread. Last week, however, a vulnerability was discovered in the WordPress plug-in WP Ultimate CSV Importer, which is active on around 20,000 WordPress sites. If attackers can access an account on WordPress instances equipped with it, this also allows them to take complete control. An updated software version is also available for this, which admins should update to quickly.

(dmk)