Critical SureTriggers Vulnerability Puts Over 100,000 Websites at Risk

Major Vulnerability Discovered in SureTriggers Plugin: 100,000+ Websites at Risk

A significant security flaw has recently been identified in the SureTriggers WordPress plugin, exposing over 100,000 websites to potential cyber attacks. The vulnerability, officially designated as CVE-2025-3102, holds a high-severity CVSS score of 8.1, which could allow malicious actors to create unauthorized administrator accounts under certain conditions—granting them full control of affected websites.

SureTriggers, rebranded from OttoKit, is an automation tool used to connect various web apps, services, and WordPress plugins. However, its recent vulnerability has raised alarm bells within the cybersecurity community. Following its public disclosure, cybercriminals began exploiting this flaw just hours later, according to findings from Wordfence Intelligence.

The vulnerability arises from a missing empty value check in the plugin’s authenticate_user() function, leading to an authorization bypass. Attackers can exploit this flaw if the plugin is installed but not configured with an API key—a scenario common with newly downloaded plugins.

Security researcher Mikemyers discovered this issue and received a $1,024 bug bounty for the find. All versions of SureTriggers prior to 1.0.79 are affected, and users are urged to update immediately to safeguard their sites.

The implications of this vulnerability are serious; once attackers gain administrative access, they can upload malicious content, redirect users, or compromise sensitive data. The vulnerability is particularly alarming since it requires no prior login or access level—only that a vulnerable version of the plugin is installed.

As a reminder, this incident underscores the necessity for WordPress site administrators to prioritize plugin security and maintain diligent update practices. Users should also proceed with thorough audits of their plugin settings to counteract potential risks.