- How Cisco volunteers multiply impact for nonprofits
- MITRE CVE Program in Jeopardy
- This OnePlus phone is a solid alternative to the flagships - and it's over 30% off
- Want to lock in your internet rate for 5 years? Comcast Xfinity has a deal for you
- Oura Ring vs. Apple Watch: Here's which health tracker is right for you
Major WordPress Plugin Flaw Exploited in Under 4 Hours
A critical vulnerability in the WordPress plugin SureTriggers has exposed thousands of websites to remote attacks, allowing unauthenticated users to create administrative accounts.
SureTriggers version 1.0.78 and below are affected by the flaw, which was publicly disclosed on April 10 2025.
The issue lies in how SureTriggers, a tool designed to automate workflows in WordPress, handles authorization within its REST API.
Due to improper validation of the ST-Authorization HTTP header, unauthorized users can bypass checks and gain full administrative access if a site lacks a configured secret key.
According to PatchStack, who discovered the flaw, exploitation began just four hours after the vulnerability was patched.
The researchers observed attackers using the plugin’s API via the following URLs:
- /?rest_route=/wp-json/sure-triggers/v1/automation/action
- /wp-json/sure-triggers/v1/automation/action
In these attempts, attackers created admin-level accounts using randomized usernames and passwords.
The vulnerability stems from a logical flaw in the code’s handling of null values. When a site does not define an internal secret key, the plugin returns null for both the provided header and the stored key.
Since the plugin compares these two null values and treats them as a match, the authorization check inadvertently passes, granting admin access without authentication.
Administrators running vulnerable versions of SureTriggers are strongly urged to update their plugin to the latest release.
“It is recommended to update your site as soon as possible if you are running the SureTriggers plugin to the latest version and look for all the IOCs in your system like created accounts, recently installed plugins/themes or overall modified content,” PatchStack warned.
Additionally, administrators should audit their systems for any suspicious accounts or content changes that may have resulted from exploitation attempts.
