CVE-2025-3102HIGH 8.1EPSS p99.5%

CVE-2025-3102CVE-2025-3102

Description

The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS76.20% probability of exploitation · percentile 99.5% · 2026-06-17T12:03:21Z
Published2025-04-10
Last modified2026-04-15

Underlying weaknesses· 1

CWE-697

References

  1. https://plugins.trac.wordpress.org/browser/suretriggers/trunk/src/Controllers/RestController.php#L59
  2. https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3266499%40suretriggers%2Ftrunk&old=3264905%40suretriggers%2Ftrunk&sfp_email=&sfph_mail=
  3. https://www.wordfence.com/threat-intel/vulnerabilities/id/ec017311-f150-4a14-a4b4-b5634f574e2b?source=cve

1

TypeTargetConfidenceTier
WeaknessIncorrect Comparisoncwe-6970%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-11007
CVE
CVE-2025-12374
CVE
CVE-2025-6688
CVE
CVE-2025-9539
CVE
CVE-2025-13539
CVE
CVE-2025-2594
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.