CVE-2025-3102
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.
Analysis
The SureTriggers WordPress plugin through version 1.0.78 contains an authentication bypass due to a missing empty value check on the secret_key in the autheticate_user function. On installations where the plugin API key is not configured, unauthenticated attackers can create administrative accounts and take over the WordPress site.
Technical Context
The autheticate_user function compares the request's secret_key header against the stored API key using a comparison that doesn't check for empty/null values. On sites where SureTriggers is installed but not yet configured (no API key set), both the request header and stored key are empty, causing the comparison to succeed. This grants full API access, including the ability to create WordPress administrator accounts.
Affected Products
['SureTriggers: All-in-One Automation Platform <= 1.0.78', 'OtterPress (previous name)']
Remediation
Update to SureTriggers 1.0.79 or later. If the plugin was installed but not configured, remove it entirely. Check for unauthorized administrator accounts. Review WordPress user list for recently created admin users.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today