CVE-2025-3102

🗓️ 10 Apr 2025 04:22:05Reported by WordfenceType

cve🔗 web.nvd.nist.gov📰️ 6 Media mentions👁 293 Views🌐 WEB

CVE-2025-3102 allows unauthenticated users to create admin accounts in SureTriggers plugin versions ≤ 1.0.78.

Reporter	Title	Published	Views	Family All 29
GithubExploit	Exploit for CVE-2025-3102	12 Apr 202504:22	–	githubexploit
GithubExploit	Exploit for CVE-2025-3102	14 Apr 202516:07	–	githubexploit
GithubExploit	Exploit for CVE-2025-3102	14 Apr 202510:20	–	githubexploit
GithubExploit	Exploit for CVE-2025-3102	20 Apr 202513:59	–	githubexploit
GithubExploit	Exploit for CVE-2025-3102	12 Apr 202504:22	–	githubexploit
BDU FSTEC	The vulnerability of the SureTriggers plugin of the WordPress content management system allows attackers to create administrator accounts on the website.	28 Apr 202500:00	–	bdu_fstec
Circl	CVE-2025-3102	10 Apr 202504:49	–	circl
CNNVD	WordPress plugin SureTriggers 安全漏洞	10 Apr 202500:00	–	cnnvd
Cvelist	CVE-2025-3102 SureTriggers <= 1.0.78 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrative User Creation	10 Apr 202504:22	–	cvelist
Metasploit	WordPress SureTriggers (aka OttoKit) Combined Auth Bypass (CVE-2025-3102, CVE-2025-27007)	13 May 202518:49	–	metasploit

Vulners

Node

brainstormforce ottokit:_all-in-one_automation_platformRange≤1.0.78wordpress

[
  {
    "vendor": "brainstormforce",
    "product": "OttoKit: All-in-One Automation Platform",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "1.0.78",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
plugins	www.plugins.trac.wordpress.org/browser/suretriggers/trunk/src/Controllers/RestController.php
plugins	www.plugins.trac.wordpress.org/changeset
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/ec017311-f150-4a14-a4b4-b5634f574e2b

Parameter	Position	Path	Description	CWE
integration	request body	wp-json/sure-triggers/v1/automation/action	Unauthenticated REST endpoint that accepts a user creation payload enabling potential administrative account creation in vulnerable versions.	CWE-697
type_event	request body	wp-json/sure-triggers/v1/automation/action	Unauthenticated REST endpoint that accepts a user creation payload enabling potential administrative account creation in vulnerable versions.	CWE-697
selected_options	request body	wp-json/sure-triggers/v1/automation/action	Unauthenticated REST endpoint that accepts a user creation payload enabling potential administrative account creation in vulnerable versions.	CWE-697
selected_options.user_name	request body	wp-json/sure-triggers/v1/automation/action	Unauthenticated REST endpoint that accepts a user creation payload enabling potential administrative account creation in vulnerable versions.	CWE-697
selected_options.password	request body	wp-json/sure-triggers/v1/automation/action	Unauthenticated REST endpoint that accepts a user creation payload enabling potential administrative account creation in vulnerable versions.	CWE-697
selected_options.user_email	request body	wp-json/sure-triggers/v1/automation/action	Unauthenticated REST endpoint that accepts a user creation payload enabling potential administrative account creation in vulnerable versions.	CWE-697
selected_options.role	request body	wp-json/sure-triggers/v1/automation/action	Unauthenticated REST endpoint that accepts a user creation payload enabling potential administrative account creation in vulnerable versions.	CWE-697
fields	request body	wp-json/sure-triggers/v1/automation/action	Unauthenticated REST endpoint that accepts a user creation payload enabling potential administrative account creation in vulnerable versions.	CWE-697
context	request body	wp-json/sure-triggers/v1/automation/action	Unauthenticated REST endpoint that accepts a user creation payload enabling potential administrative account creation in vulnerable versions.	CWE-697