Over 100,000 WordPress Plugin Vulnerability Exploited Just 4 Hours After Disclosure

Over 100,000 WordPress websites have been exposed to a critical security vulnerability, following the public disclosure of a flaw in the popular SureTriggers plugin (version 1.0.78 and below) on April 10, 2025.

Exploitation attempts were observed within just four hours after the vulnerability was published—a stark reminder of the speed with which cybercriminals act.

Vulnerability Overview

According to the PatchStack report, the SureTriggers plugin, widely used for automating workflows in WordPress, was found to harbor a severe flaw in its REST API endpoint.

The vulnerability arises from inadequate authorization checks when processing HTTP requests. Specifically, the plugin’s code does not enforce proper validation of the ST-Authorization HTTP header.

If an invalid or missing header is submitted and the site does not have an internal secret key configured (resulting in a null value), the flawed logic in the code passes the authorization check due to a null == null comparison.

This enables unauthenticated attackers to bypass security controls entirely.

Sample Exploit Code:

{

  "user_email": "test@test.cc",

  "user_name": "test123123",

  "password": "TESTtest123!@#",

  "first_name": "tes",

  "last_name": "est",

  "role": "administrator"

}

Attackers can send requests like the above via the REST API routes:

• /?rest_route=/wp-json/sure-triggers/v1/automation/action
• /wp-json/sure-triggers/v1/automation/action

Once processed, this creates a new administrator account, often with randomized usernames, passwords, and email addresses.

Active Exploitation in the Wild

Within hours of the disclosure, researchers observed automated exploitation attempts.

The first malicious activity was detected just four hours after Patchstack added a vPatch for the issue—underscoring the need for rapid updates.

Known attacker IP addresses include:

• 2a01:e5c0:3167::2 (IPv6)
• 2602:ffc8:2:105:216:3cff:fe96:129f (IPv6)
• 89.169.15.201 (IPv4)
• 107.173.63.224 (IPv4)

Typical attacker payloads set the role to “administrator” and use generic or randomized credentials, suggesting automated scripts are being leveraged at scale.

Experts urge all WordPress users running SureTriggers to immediately update to the latest plugin version.

Site owners should also review logs for suspicious recent account creations, unauthorized plugin or theme installations, and unexpected content changes—key signs of compromise.

Security analysts emphasize: “This incident demonstrates how fast attackers can weaponize new vulnerabilities. Instant patching and proactive monitoring are essential to defend your digital assets.”

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!