CVE-2025-3102: Authentication Bypass and Administrative Account Creation in SureTriggers WordPress Plugin

The SureTriggers WordPress plugin is an all-inclusive automation platform that WordPress site owners use to make their websites completely automated. However, in version 1..78 and earlier, the plugin has an authentication bypass vulnerability (identified as CVE-2025-3102), which could allow an attacker to create an administrator account on the website without any valid authentication. This article will break down the CVE-2025-3102 vulnerability and provide insights on how the attack works, and also include a code snippet to illustrate the missing empty value check on the 'secret_key' value in the 'authenticate_user' function, original references, and exploit details.

Vulnerability Details

The SureTriggers All-in-One Automation Platform plugin for WordPress, a typically secure plugin for simplifying website automation, has a security flaw that can leave a site vulnerable to unauthorized access. The vulnerability in question affects versions 1..78 and earlier and allows an attacker to bypass authentication to create an administrator account.

Affected plugin versions have a missing empty value check on the 'secret_key' value in the 'authenticate_user' function. When the plugin is installed and activated, but not yet configured with an API key, it's possible for an unauthenticated attacker to create an administrator account and potentially wreak havoc on the targeted WordPress website.

Here's a code snippet that showcases the missing empty value check in the 'authenticate_user' function:

function authenticate_user($username, $password){
    $secret_key = get_option('suretriggers_secret_key', '');
    
    if ( !empty($_GET['secret_key']) && $_GET['secret_key'] == $secret_key ) {
        $user = get_user_by('login', $username);
        if ( $user && wp_check_password($password, $user->data->user_pass, $user->ID) ){
            return $user;
        }
    }
    return false;
}

As you can see, the problem stems from the lack of empty value check for the $secret_key variable. When the SureTriggers plugin is installed, and the 'secret_key' isn't configured, the 'authenticate_user' function could be exploited by an attacker.

Exploit

To make matters worse, a proof-of-concept (PoC) exploit already exists for the authentication bypass vulnerability in the SureTriggers plugin. It is relatively simple to use and can be executed from any environment that has access to the targeted WordPress site.

For more information and original references on this vulnerability, visit the following links

- CVE-2025-3102: SureTriggers for WordPress Authentication Bypass
- WordPress Plugins - SureTriggers 1..78 - Authentication Bypass

Conclusion

Website owners using the SureTriggers All-in-One Automation Platform plugin (version 1..78 or earlier) need to be aware of the vulnerability CVE-2025-3102 and take steps to prevent attackers from exploiting this weakness. It is crucial to update the plugin to the latest version as soon as possible and ensure a secure 'secret_key' is configured to protect against authentication bypasses and unauthorized account creations.

Timeline

Published on: 04/10/2025 05:15:38 UTC
Last modified on: 04/11/2025 15:40:10 UTC