A dangerous security hole in the SureTriggers WordPress plugin puts over 100,000 websites at serious risk of complete takeover through unauthorized administrator account creation. The newly discovered vulnerability, tracked as CVE-2025-3102, carries a concerning CVSS rating of 8.1 (High) and affects all plugin versions through 1.0.78.
The Perfect Storm: Missing API Keys and Authentication Bypass
What makes this vulnerability particularly alarming is its targeting method. Websites with SureTriggers installed and activated but lacking a properly configured API key create the perfect conditions for exploitation. The flaw originates in a fundamental authentication bypass within the plugin’s REST API endpoint handling mechanism, where the code fails to validate empty secret key values—a seemingly small oversight with potentially devastating consequences.
When exploited successfully, attackers can bypass security measures entirely to create administrator accounts without any authentication whatsoever. Once administrative access is established, attackers gain full control of the affected website, opening up a terrifying range of possibilities from backdoor installation to malware injection. They can even redirect your unsuspecting visitors to phishing sites or flood your carefully crafted website with spam content.
“This vulnerability represents a classic case of insufficient validation checking,” notes cybersecurity expert Hannah Reynolds. “Many plugin developers focus on comparing values but forget to verify that those values aren’t empty in the first place—creating dangerous backdoors into otherwise secure systems.”
The Technical Breakdown: How Does It Work?
Security researchers at Wordfence identified the vulnerability on March 13th, 2025, through their Bug Bounty Program. The specific weakness exists in the autheticate_user() function (yes, there’s even a spelling error in the function name), which handles permission checks for the plugin’s REST API endpoints.
Looking at the vulnerable code reveals a deceptively simple but dangerous flaw:
public function autheticate_user($request) {
$secret_key = $request->get_header('st_authorization');
list($secret_key) = sscanf($secret_key, 'Bearer %s');
if ($this->secret_key !== $secret_key) {
return false;
}
return true;
}The critical mistake lies in that conditional statement. The code only checks if the secret keys are unequal without first verifying that either key actually contains a value. When both the plugin’s configured key and an attacker’s supplied key are empty, the condition evaluates to true since both empty values are technically equal. This allows attackers to access the REST API endpoint and execute the run_action() function, creating administrator accounts without any authentication barriers.
Discovery and Response
The vulnerability was discovered by security researcher “mikemyers,” who responsibly reported the issue through Wordfence’s Bug Bounty Program and received a $1,024 reward. Following standard responsible disclosure protocols, Wordfence promptly notified Brainstorm Force, the plugin’s developer, who responded by releasing a patched version (1.0.79) on April 3rd, 2025.
Urgent Action Required
If your WordPress site uses the SureTriggers plugin, updating to version 1.0.79 should be your immediate priority. The update specifically addresses this vulnerability by implementing proper validation of empty key values before performing authentication checks.
For additional security, WordPress administrators should:
- Regularly audit installed plugins
- Implement proper API key configurations for all plugins requiring them
- Consider using a web application firewall (WAF) for additional protection
- Monitor administrator account creation activities
“This incident highlights why regular updates aren’t just good practice—they’re essential for website security,” emphasizes WordPress security analyst Miguel Rodriguez. “Vulnerabilities like these often fly under the radar until they’re actively exploited, making proactive updates your best defense.”
As WordPress continues to dominate the content management system landscape, powering approximately 43% of all websites on the internet in 2025, these types of vulnerabilities represent significant risks to the overall web ecosystem. By taking swift action to update affected installations, site owners can protect both their own digital assets and the broader WordPress community.