Description
The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.
Published: 2025-04-10
Score: 8.1 High
EPSS: 83.5% High
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the SureTriggers All‑In‑One Automation Platform plugin for WordPress allows an unauthenticated attacker to create an administrator account because the plugin's authentication routine fails to verify that the 'secret_key' field is non‑empty before proceeding. This bypass is a classic authentication bypass (CWE‑697). The attacker can then obtain full control over the WordPress site, compromising the confidentiality, integrity, and availability of its content and configuration.

Affected Systems

The flaw affects all WordPress installations that have the SureTriggers: All‑In‑One Automation Platform plugin version 1.0.78 or earlier. Users who have installed, activated the plugin and left the API key field empty are susceptible. The issue does not exist in versions newer than 1.0.78 according to the existing patch.

Risk and Exploitability

The CVSS base score of 8.1 indicates high severity. The EPSS score of 84% suggests a very high likelihood that this flaw will be exploited in the wild. The vulnerability is not in the CISA KEV catalog, but the combination of high inherent risk and ease of exploitation makes it an immediate priority. Attackers can exploit the flaw remotely by issuing unauthenticated HTTP requests to the plugin’s REST endpoint, thereby bypassing authentication and creating privileged accounts. Based on the description, it is inferred that the exploitation requires only unauthenticated HTTP requests to the plugin’s REST endpoint.

Generated by OpenCVE AI on May 19, 2026 at 15:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SureTriggers plugin to a version beyond 1.0.78 where the empty secret_key check has been corrected.
  • If an immediate upgrade is not possible, temporarily disable the plugin or restrict access to its REST endpoints for unauthenticated users to prevent account creation until the fix is applied.
  • Audit the WordPress admin users for any newly created accounts that may have been created through this vulnerability and delete or remediatie unauthorized accounts.

Generated by OpenCVE AI on May 19, 2026 at 15:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.86586}

 epss

{'score': 0.86464}

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.85991}

 epss

{'score': 0.86586}

Thu, 10 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 10 Apr 2025 04:30:00 +0000

Type Values Removed Values Added
Description The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.
Title SureTriggers <= 1.0.78 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrative User Creation
Weaknesses CWE-697
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:20.420Z

Reserved: 2025-04-01T18:27:15.860Z

Link: CVE-2025-3102

cve-icon Vulnrichment

Updated: 2025-04-10T13:10:28.790Z

cve-icon NVD

Status : Deferred

Published: 2025-04-10T05:15:38.990

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3102

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T15:15:08Z

Weaknesses