Analysis Summary

A critical vulnerability in the popular WordPress plugin SureTriggers, disclosed publicly on April 10, 2025, has been actively exploited within just four hours of its announcement. The flaw, present in all versions up to 1.0.78 (with over 100,000 installations), allows unauthenticated attackers to create administrative user accounts, effectively giving them full control over compromised sites. The speed and scale of the exploitation emphasize the urgency for site administrators to respond immediately.

The vulnerability arises from a flawed REST API authorization mechanism. Specifically, the plugin fails to properly validate the ST-Authorization HTTP header. When attackers send an invalid or missing header, the system compares two null values — the provided header and the default internal secret key — resulting in a null == null comparison that bypasses authentication checks entirely. This logic flaw enables attackers to abuse two REST API endpoints, allowing them to execute unauthorized commands.

Security teams have identified exploitation attempts from various IP addresses, both IPv4 and IPv6, such as 89.169.15.201, 107.173.63.224, and others. The attackers are creating randomized admin accounts using varying usernames, passwords, and email formats to avoid detection. Security logs reveal consistent patterns in these activities, showing a coordinated and automated attack campaign focused on persistent access and administrative control.

In response, website owners are strongly advised to immediately update to the patched version of SureTriggers or temporarily disable the plugin if updates are not feasible. Additional recommended actions include auditing admin accounts, checking for unexpected plugin or theme changes, and reviewing server logs for suspicious API requests. A web application firewall (WAF) can provide extra protection. Notably, Patchstack customers were shielded via virtual patching, underscoring the value of proactive security solutions. This incident serves as a stark reminder of the need for rapid patching and vigilant monitoring in the face of rapidly exploited zero-day vulnerabilities.

Impact

• Security Bypass
• Unauthorized Access

Indicators of Compromise

CVE

• 89.169.15.201

• 107.173.63.224

Affected Vendors

Remediation

• Update the SureTriggers plugin to the latest patched version immediately (latest version post-1.0.78).
• Temporarily disable the plugin if you are unable to apply the update right away.
• Audit all user accounts and look for any suspicious administrator-level users created since April 10, 2025.
• Review server logs for requests made to the vulnerable REST API endpoints.
• Check for any unexpected changes.
• Enable and configure a Web Application Firewall (WAF) to block exploit attempts.
• Randomize and strengthen your site’s internal secret keys, especially if they are still set to default/null.
• Monitor your website’s access logs for activity from known malicious IP addresses.
• Consider using a security service like Patchstack that offers virtual patching to proactively protect against future zero-day vulnerabilities.