A severe vulnerability in the popular WordPress plugin SureTriggers has been actively exploited within just four hours of its public disclosure on April 10, 2025.\u00a0<\/p>\n
The critical authentication bypass flaw affects all versions of the plugin up to 1.0.78, which has over 100,000 installations worldwide.\u00a0<\/p>\n
This vulnerability allows unauthenticated attackers to create administrative user accounts on vulnerable WordPress sites<\/a>, potentially compromising the entire site.<\/p>\n The vulnerability stems from a critical flaw in SureTriggers\u2019 REST API endpoint handling mechanism. Security experts identified that the plugin fails to validate the ST-Authorization HTTP header during API requests properly.\u00a0<\/p>\n When attackers submit an invalid header, the plugin\u2019s code returns a null value. If the site hasn\u2019t configured an internal secret key (also null by default), the authorization check inadvertently passes due to a null == null comparison, completely bypassing security protocols.<\/p>\n Patchstack said to<\/a> Cyber Security News that the attackers specifically target two REST API endpoints to exploit this vulnerability:<\/p>\n Security monitoring has identified exploitation attempts originating from multiple IP addresses, including:<\/p>\n The attackers\u2019 primary goal appears to be establishing persistent access by creating administrator accounts. Security logs reveal multiple patterns of account creation attempts. One typical pattern observed in the wild includes:<\/p>\n Another variation detected by researchers uses a different format:<\/p>\n Security analysts note that attackers are randomizing credentials, making detection more challenging. Each exploitation attempt likely uses different usernames, passwords, and email aliases.<\/p>\n Website owners using the SureTriggers plugin should immediately update to the latest version. Those unable to update immediately should temporarily disable the plugin until an update can be applied.<\/p>\n \u201cThis vulnerability demonstrates the increasingly short window between disclosure and exploitation,\u201d says Jane Smith, a cybersecurity expert at WebDefend.\u00a0<\/p>\n \u201cThe four-hour timeframe between public disclosure and active exploitation highlights the critical importance of rapid patching and security monitoring.\u201d<\/p>\n Site administrators should also:<\/p>\n Patchstack customers are reportedly protected through the company\u2019s virtual patching system, which blocked exploitation attempts before the official patch was released.<\/p>\n This incident serves as another reminder of the importance of maintaining updated WordPress installations and implementing proper security measures for websites running the popular content management system.<\/p>\n The post 100,000+ Installed WordPress Plugin Critical Vulnerability Exploited Within 4 Hours of Disclosure<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nVulnerability Details and Attack Vector<\/strong><\/h2>\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXc1KZZyEhk_9ml0sGrnxgKNtrfmOzitcztRl5vdKW2sF-ZVKXhtgJpW_SDUYu6ZkTKIgFmK9j_wxflJnelepLotUOojkTZFvptOVoNK8M8R7dWqTh9vDmxlbsFTHOULE9iNIAP9?key=LU7ajFFTpjyyr6kTuIFieef4\")
\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfRW6QQVeV1gDoNYRashM7jYLy3_CJVmYfPjK1yKM-KWAIb1H3ZSzxOcMT30sI4PPwIzrgoxU8GOYX64bsmvuh43ckpWRS4RrIQg56J_4k0Tth12M1_ua5h_-AHoy0Vhg6g39yDXw?key=LU7ajFFTpjyyr6kTuIFieef4\")
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdsSLVAVycRkcK3CQqB4X8HxsMKd70ribWboS-XrfqLIbdOTU2i1sktdCHReXwKhjwo0jJlBercvXr18qga-u__uk199WKi8w0q55rmYvhPqmbPZQFprvnlgbrG0s1Y9ccNcEBRLA?key=LU7ajFFTpjyyr6kTuIFieef4\")
\n
Find this News Interesting! Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>, &\u00a0X<\/a>\u00a0to Get Instant Updates<\/strong>!<\/code><\/strong><\/code><\/strong><\/code><\/strong><\/strong><\/p>\n