Critical SureTriggers Plugin Vulnerability Exploited within 4 hours

Published 10 April 2025
Table of Contents

✌️ Our users are protected from this vulnerability. Are yours?

Web developers

Automatically mitigate vulnerabilities in real-time without changing code.

See pricing
Plugin developers

Identify vulnerabilities in your plugins and get recommendations for fixes.

Request audit
Hosting companies

Protect your users, improve server health and earn additional revenue.

Patchstack for hosts

Vulnerability Information

On April 10, 2025, a critical vulnerability in the WordPress plugin SureTriggers (version 1.0.78 and below) was identified and published. This flaw, allows unauthenticated attackers to create administrative user accounts on vulnerable WordPress sites.

With exploitation attempts observed within hours after disclosure, this vulnerability poses a significant risk to WordPress users who have not yet updated or mitigated the issue or have no protection through a vPatch by Patchstack.

Vulnerability Overview

The SureTriggers plugin, designed to automate workflows within WordPress, contains a critical flaw in its REST API endpoint handling. The vulnerability stems from insufficient authorization checks when processing requests in WordPress REST API.

Specifically, the plugin fails to properly validate the ST-Authorization HTTP header. When an invalid header is provided, the plugin’s code returns a null value. If the site has not configured an internal secret key (also null), the authorization check inadvertently passes due to a null == null comparison, bypassing security entirely.

Exploitation in the Wild

Attackers were quick to exploit this vulnerability, with the first recorded attempt occurring just four hours after it was added as a vPatch to our database. This swift exploitation highlights the critical need to apply patches or mitigations immediately upon the public disclosure of such vulnerabilities.

So far, exploitation attempts have originated from the following IP addresses:

  • 2a01:e5c0:3167::2 (IPv6)
  • 2602:ffc8:2:105:216:3cff:fe96:129f (IPv6)
  • 89.169.15.201 (IPv4)
  • 107.173.63.224 (IPv4)

Both of these URLs are utilized by attackers to exploit this issue:

  • /?rest_route=/wp-json/sure-triggers/v1/automation/action
  • /wp-json/sure-triggers/v1/automation/action

In the exploitation attempts we have seen attackers tried creating user accounts with the following details:

"show_password": "yes",
"role": "administrator",
"password": "4bebb262e22",
"user_name": "xtw1838783bc",
"user_email": "xtw18387+83bc@outlook.com"

Another variation looks like the following:

"user_email": "test@test.cc",
"user_name": "test123123",
"password": "TESTtest123!@#",
"first_name": "tes",
"last_name": "est",
"role": "administrator"

Since it is randomized, it is highly likely to assume that username, password and email alias will be different for each exploitation attempt.

It is recommended to update your site as soon as possible if you are running the SureTriggers plugin to the latest version and look for all the IOCs in your system like created accounts, recently installed plugins/themes or overall modified content.

🤝 You can help us make the Internet a safer place

Plugin developer?

Streamline your disclosure process to fix vulnerabilities faster and comply with CRA.

Get started for free
Hosting company?

Protect your users too! Improve server health and earn added revenue with proactive security.

Patchstack for hosts
Security researcher?

Report vulnerabilities to our gamified bug bounty program to earn monthly cash rewards.

Learn more

The latest in Security Advisories

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu