Wednesday, May 28, 2025
HomeCVE/vulnerabilityOver 100,000 WordPress Plugin Vulnerability Exploited Just 4 Hours After Disclosure

Over 100,000 WordPress Plugin Vulnerability Exploited Just 4 Hours After Disclosure

Published on

SIEM as a Service

Follow Us on Google News

Over 100,000 WordPress websites have been exposed to a critical security vulnerability, following the public disclosure of a flaw in the popular SureTriggers plugin (version 1.0.78 and below) on April 10, 2025.

Exploitation attempts were observed within just four hours after the vulnerability was published—a stark reminder of the speed with which cybercriminals act.

Vulnerability Overview

According to the PatchStack report, the SureTriggers plugin, widely used for automating workflows in WordPress, was found to harbor a severe flaw in its REST API endpoint.

- Advertisement - Google News

The vulnerability arises from inadequate authorization checks when processing HTTP requests. Specifically, the plugin’s code does not enforce proper validation of the ST-Authorization HTTP header.

If an invalid or missing header is submitted and the site does not have an internal secret key configured (resulting in a null value), the flawed logic in the code passes the authorization check due to a null == null comparison.

This enables unauthenticated attackers to bypass security controls entirely.

Sample Exploit Code:

{

  "user_email": "test@test.cc",

  "user_name": "test123123",

  "password": "TESTtest123!@#",

  "first_name": "tes",

  "last_name": "est",

  "role": "administrator"

}

Attackers can send requests like the above via the REST API routes:

  • /?rest_route=/wp-json/sure-triggers/v1/automation/action
  • /wp-json/sure-triggers/v1/automation/action

Once processed, this creates a new administrator account, often with randomized usernames, passwords, and email addresses.

Active Exploitation in the Wild

Within hours of the disclosure, researchers observed automated exploitation attempts.

The first malicious activity was detected just four hours after Patchstack added a vPatch for the issue—underscoring the need for rapid updates.

Known attacker IP addresses include:

  • 2a01:e5c0:3167::2 (IPv6)
  • 2602:ffc8:2:105:216:3cff:fe96:129f (IPv6)
  • 89.169.15.201 (IPv4)
  • 107.173.63.224 (IPv4)

Typical attacker payloads set the role to “administrator” and use generic or randomized credentials, suggesting automated scripts are being leveraged at scale.

Experts urge all WordPress users running SureTriggers to immediately update to the latest plugin version.

Site owners should also review logs for suspicious recent account creations, unauthorized plugin or theme installations, and unexpected content changes—key signs of compromise.

Security analysts emphasize: “This incident demonstrates how fast attackers can weaponize new vulnerabilities. Instant patching and proactive monitoring are essential to defend your digital assets.”

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Threat Actors Use Fake DocuSign Notifications to Steal Corporate Data

DocuSign has emerged as a cornerstone for over 1.6 million customers worldwide, including 95%...

Government Calls on Organizations to Adopt SIEM and SOAR Solutions

In a landmark initiative, international cybersecurity agencies have released a comprehensive series of publications...

WordPress TI WooCommerce Wishlist Plugin Flaw Puts Over 100,000 Websites at Risk of Cyberattack

A severe security flaw has been identified in the TI WooCommerce Wishlist plugin, a...

Microsoft Alerts on Void Blizzard Hackers Targeting Telecommunications and IT Sectors

Microsoft Threat Intelligence Center (MSTIC) has issued a critical warning about a cluster of...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Threat Actors Use Fake DocuSign Notifications to Steal Corporate Data

DocuSign has emerged as a cornerstone for over 1.6 million customers worldwide, including 95%...

Government Calls on Organizations to Adopt SIEM and SOAR Solutions

In a landmark initiative, international cybersecurity agencies have released a comprehensive series of publications...

WordPress TI WooCommerce Wishlist Plugin Flaw Puts Over 100,000 Websites at Risk of Cyberattack

A severe security flaw has been identified in the TI WooCommerce Wishlist plugin, a...