SureTriggers < 1.0.79 – Unauthenticated Admin User Creation | CVE 2025-3102 | Plugin Vulnerabilities

Description

The plugin is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.

Affects Plugins

Fixed in 1.0.79

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ec017311-f150-4a14-a4b4-b5634f574e2b

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

mikemyers

Verified

No

WPVDB ID

23ea1011-b66f-4c6c-bfd6-5febb53d2c8e

Timeline

Publicly Published

2025-04-09 (about 1 year ago)

Added

2025-04-10 (about 1 year ago)

Last Updated

2025-04-10 (about 1 year ago)

Other

Published

Title

Published

2021-07-20

Title

NEX Forms < 7.8.8 - Authentication Bypass for Excel Reports

Published

2016-01-19

Title

Simple Download Monitor <= 3.2.8 - Insufficient Authorisation

Published

2014-11-24

Title

Download Manager <= 2.7.2 - Privilege Escalation

Published

2024-05-19

Title

Chauffeur Taxi Booking System for WordPress < 7.0 - Authentication Bypass

Published

2023-11-27

Title

Swift Performance Lite <= 2.3.6.14 - Unauthenticated Configuration Export