Tuesday, April 22, 2025
HomeCVE/vulnerabilityOver 100,000 WordPress Plugin Vulnerability Exploited Just 4 Hours After Disclosure

Over 100,000 WordPress Plugin Vulnerability Exploited Just 4 Hours After Disclosure

Published on

SIEM as a Service

Follow Us on Google News

Over 100,000 WordPress websites have been exposed to a critical security vulnerability, following the public disclosure of a flaw in the popular SureTriggers plugin (version 1.0.78 and below) on April 10, 2025.

Exploitation attempts were observed within just four hours after the vulnerability was published—a stark reminder of the speed with which cybercriminals act.

Vulnerability Overview

According to the PatchStack report, the SureTriggers plugin, widely used for automating workflows in WordPress, was found to harbor a severe flaw in its REST API endpoint.

- Advertisement - Google News

The vulnerability arises from inadequate authorization checks when processing HTTP requests. Specifically, the plugin’s code does not enforce proper validation of the ST-Authorization HTTP header.

If an invalid or missing header is submitted and the site does not have an internal secret key configured (resulting in a null value), the flawed logic in the code passes the authorization check due to a null == null comparison.

This enables unauthenticated attackers to bypass security controls entirely.

Sample Exploit Code:

{

  "user_email": "test@test.cc",

  "user_name": "test123123",

  "password": "TESTtest123!@#",

  "first_name": "tes",

  "last_name": "est",

  "role": "administrator"

}

Attackers can send requests like the above via the REST API routes:

  • /?rest_route=/wp-json/sure-triggers/v1/automation/action
  • /wp-json/sure-triggers/v1/automation/action

Once processed, this creates a new administrator account, often with randomized usernames, passwords, and email addresses.

Active Exploitation in the Wild

Within hours of the disclosure, researchers observed automated exploitation attempts.

The first malicious activity was detected just four hours after Patchstack added a vPatch for the issue—underscoring the need for rapid updates.

Known attacker IP addresses include:

  • 2a01:e5c0:3167::2 (IPv6)
  • 2602:ffc8:2:105:216:3cff:fe96:129f (IPv6)
  • 89.169.15.201 (IPv4)
  • 107.173.63.224 (IPv4)

Typical attacker payloads set the role to “administrator” and use generic or randomized credentials, suggesting automated scripts are being leveraged at scale.

Experts urge all WordPress users running SureTriggers to immediately update to the latest plugin version.

Site owners should also review logs for suspicious recent account creations, unauthorized plugin or theme installations, and unexpected content changes—key signs of compromise.

Security analysts emphasize: “This incident demonstrates how fast attackers can weaponize new vulnerabilities. Instant patching and proactive monitoring are essential to defend your digital assets.”

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Hackers Exploit Cloudflare Tunnel Infrastructure to Deploy Multiple Remote Access Trojans

The Sekoia TDR (Threat Detection & Research) team has reported on a sophisticated network...

Threat Actors Leverage npm and PyPI with Impersonated Dev Tools for Credential Theft

The Socket Threat Research Team has unearthed a trio of malicious packages, two hosted...

Hackers Exploit Legitimate Microsoft Utility to Deliver Malicious DLL Payload

Hackers are now exploiting a legitimate Microsoft utility, mavinject.exe, to inject malicious DLLs into...

Cybercriminals Exploit Network Edge Devices to Infiltrate SMBs

Small and midsized businesses (SMBs) continue to be prime targets for cybercriminals, with network...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit Cloudflare Tunnel Infrastructure to Deploy Multiple Remote Access Trojans

The Sekoia TDR (Threat Detection & Research) team has reported on a sophisticated network...

Threat Actors Leverage npm and PyPI with Impersonated Dev Tools for Credential Theft

The Socket Threat Research Team has unearthed a trio of malicious packages, two hosted...

Hackers Exploit Legitimate Microsoft Utility to Deliver Malicious DLL Payload

Hackers are now exploiting a legitimate Microsoft utility, mavinject.exe, to inject malicious DLLs into...