Authentication bypass flaw in OttoKit/SureTriggers WordPress plugin actively exploited
Take action: This is a fairly stupid scenario to get you hacked - your website is vulnerable if the SureTriggers/OttoKit is installed but not configured to run properly. This is not impossible, but if you are using OttoKit, make sure it's activated. If you aren't using SureTriggers/OttoKit but have installed it - remove it from your WordPress. At any rate, updating is trivial, so update all your plugins.
Learn More
A high-severity vulnerability in the OttoKit/SureTriggers WordPress plugin is actively exploited by threat actors, according to WordPress security firm Defiant (Wordfence).
The vulnerability is tracked as CVE-2025-3102 (CVSS score 8.1) and is an authentication bypass vulnerability caused by a missing empty value check in the plugin's authentication mechanism, in the 'autheticate_user' function. It allows unauthenticated attackers to create administrator account, but is only exploitable when the plugin is installed and activated but not configured with an API key
The 'autheticate_user' function performs an incomplete permission check that only compares the secret key in the header with the one stored in the plugin's database, without verifying if the value is empty:
public function autheticate_user( $request ) { $secret_key = $request->get_header( 'st_authorization' ); list($secret_key) = sscanf( $secret_key, 'Bearer %s' ); if ( $this->secret_key !== $secret_key ) { return false; } return true; }
PatchStack researchers have documented active exploitation attempts targeting this vulnerability. Attackers are observed accessing the plugin's API through the following endpoints:
- /?rest_route=/wp-json/sure-triggers/v1/automation/action
- /wp-json/sure-triggers/v1/automation/action
During these attacks, malicious actors create administrator-level accounts with randomized usernames and passwords, effectively giving themselves full control over compromised WordPress sites.
When the plugin is newly installed and not yet configured, the secret key value in the database is empty. By sending an empty value in the request header, attackers can bypass the authentication check and access the REST API endpoint to create administrator accounts.
It affects OttoKit/SureTriggers versions 1.0.78 and earlier. OttoKit/SureTriggers has over 100,000 active installations, though Defiant notes that "only a small subset of sites will actually be exploitable" due to the specific condition required (unconfigured plugin state).
Website administrators using this plugin should take immediate action:
- Update to OttoKit/SureTriggers version 1.0.79 or later, which contains patches for this vulnerability
- Ensure the plugin is properly configured with an API key
- Audit user accounts for any suspicious administrator accounts that may have been created
Update - as of 14th of July 2024, Update – Brainstorm Force claims that there is no evidence of real-world exploitation related to CVE-2025-3102. Per the vendor, the issue was resolved in version 1.083 which was apparently forced auto-update via the WordPress.org Plugins team.
The team at BeyondMachines just cares that as many people as possible are aware of the issue and use a patched product.
