CVE-2025-3102

High CVSS: 8.1

The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.

Vendor

Product

CWE

CWE-697

Yayın Tarihi

2025-04-10 05:15:38

Güncelleme

2025-04-11 15:40:10

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-697 HIGH 2025

Referanslar

https://plugins.trac.wordpress.org/browser/suretriggers/trunk/src/Controllers/RestController.php#L59 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3266499%40suretriggers%2Ftrunk&old=3264905%40suretriggers%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/ec017311-f150-4a14-a4b4-b5634f574e2b?source=cve