Full Report
Hackers started exploiting a high-severity flaw that allows bypassing authentication in the OttoKit (formerly SureTriggers) plugin for WordPress just hours after public disclosure. [...]
Analysis Summary
This summary is compiled based on the provided context regarding a zero-day vulnerability in a WordPress plugin.
# Vulnerability: WordPress Plugin Authentication Bypass Leading to Admin Account Creation
## CVE Details
- CVE ID: CVE-2025-3102
- CVSS Score: *(Severity not explicitly listed, but based on impact, it is likely High. Exploitation details suggest high urgency.)*
- CWE: Authentication Bypass
## Affected Systems
- Products: WordPress Plugin (Implied to be **OttoKit/SureTriggers**, based on remediation advice)
- Versions: Versions prior to 1.0.79
- Configurations: Vulnerable when the plugin is *not* configured with an API key, allowing the internal `secret_key` to remain empty.
## Vulnerability Description
The flaw exists within the plugin's `authenticate_user()` function which handles REST API authentication. If the required API key is missing (i.e., the stored `secret_key` is empty), an attacker can exploit this vulnerability by sending an empty `st_authorization` header. This bypasses the authentication check, allowing unauthorized access to protected API endpoints. Successful exploitation grants an attacker the ability to create new administrator accounts on the target WordPress installation.
## Exploitation
- Status: **Exploited in the wild** (Recorded attempts occurred within four hours of public disclosure/vPatch addition).
- Complexity: Low (Sending an empty header is simple).
- Attack Vector: Network (Via API endpoints).
## Impact
- Confidentiality: High (Ability to access sensitive configuration and data once admin level is achieved).
- Integrity: High (Ability to modify site structure, inject code, or alter content).
- Availability: High (Potential for site takeover and subsequent disruption).
## Remediation
### Patches
- Upgrade the affected plugin to **version 1.0.79** or later.
### Workarounds
- Ensure the plugin is correctly configured with a valid API Key to prevent the internal `secret_key` from remaining empty, thereby failing the required authorization check.
## Detection
- **Indicators of compromise (IoCs):**
- Logs showing the creation of unexpected administrator accounts.
- Unscheduled installation of new plugins or themes.
- Unauthorized modification of site security settings.
- **Detection methods and tools:**
- Monitor web application logs for any requests targeting REST API endpoints containing an empty or missing `st_authorization` header.
- Security plugins or WAFs should be updated to look for exploitation attempts immediately following vendor advisories.
## References
- Vendor advisory/Patch release: Available via plugin update to 1.0.79 (Date: April 3rd).
- News Source: hxxps://www.bleepingcomputer.com/news/security/hackers-exploit-wordpress-plugin-auth-bypass-hours-after-disclosure/
- Patchstack Report: hxxps://patchstack.com/articles/critical-suretriggers-plugin-vulnerability-exploited-within-4-hours/