Back to KEVs

CVE-2025-3102

SureTriggers <= 1.0.78 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrative User Creation

Basic Information

CVE State: PUBLISHED
Reserved Date: April 01, 2025
Published Date: April 10, 2025
Last Updated: April 10, 2025
Vendor: brainstormforce
Product: OttoKit: All-in-One Automation Platform (Formerly SureTriggers)
Description: The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.

CVSS Scores

CVSS v3.1

8.1 - HIGH

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

Score: 0.15% (Percentile: 36.04%) as of 2025-04-29

SSVC Information

Exploitation: none
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2025-04-11 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2025-04-25 23:28:10 UTC) Source

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/ec017311-f150-4a14-a4b4-b5634f574e2b?source=cve https://plugins.trac.wordpress.org/browser/suretriggers/trunk/src/Controllers/RestController.php#L59 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3266499%40suretriggers%2Ftrunk&old=3264905%40suretriggers%2Ftrunk&sfp_email=&sfph_mail=

Known Exploited Vulnerability Information

Source	Added Date
TheHackerNews	2025-04-11 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

SUPRAAA-1337/CVE-2025-3102-exploit

Type: github • Created: 2025-04-25 23:28:10 UTC • Stars: 1

Exploitation of an authorization bypass vulnerability in the SureTriggers plugin for WordPress versions <= 1.0.78, allowing unauthenticated attackers to create new WordPress users.

SUPRAAA-1337/CVE-2025-3102_v2

Type: github • Created: 2025-04-25 12:13:44 UTC • Stars: 0

Checks the SureTriggers WordPress plugin's readme.txt file for the Stable tag version. If the version is less than or equal to 1.0.78, it is considered vulnerable.0.78).

SUPRAAA-1337/CVE-2025-3102

Type: github • Created: 2025-04-25 11:56:45 UTC • Stars: 0

Detects the version of the SureTriggers WordPress plugin from exposed asset URLs and compares it to determine if it's vulnerable (<= 1.0.78).

dennisec/CVE-2025-3102

Type: github • Created: 2025-04-20 13:59:57 UTC • Stars: 0

rhz0d/CVE-2025-3102

Type: github • Created: 2025-04-14 16:07:50 UTC • Stars: 1

Wordpress SureTriggers <= 1.0.78 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrative User Creation

Nxploited/CVE-2025-3102

Type: github • Created: 2025-04-14 10:20:47 UTC • Stars: 1

Wordpress SureTriggers <= 1.0.78 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrative User Creation

itsismarcos/vanda-CVE-2025-3102

Type: github • Created: 2025-04-12 04:22:58 UTC • Stars: 1

EXPLOIT CVE-2025-3102