SureTriggers <= 1.0.78 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrative User Creation

Wordfence Intelligence   >   Vulnerability Database   >   SureTriggers <= 1.0.78 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrative User Creation
8.1
Incorrect Comparison
CVE CVE-2025-3102
CVSS 8.1 (High)
Publicly Published April 9, 2025
Last Updated July 9, 2025
Researcher mikemyers

Description

The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.

Wordfence blocked 1,116,380 attacks targeting this vulnerability in the past 24 hours.

References

Share

Vulnerability Details for OttoKit: All-in-One Automation Platform

OttoKit: All-in-One Automation Platform

Software Type Plugin
Software Slug suretriggers (view on wordpress.org)
Patched? Yes
Remediation Update to version 1.0.79, or a newer patched version
Affected Version
  • <= 1.0.78
Patched Version
  • 1.0.79

Recent vulnerabilities in OttoKit: All-in-One Automation Platform

OttoKit: All-in-One Automation Platform <= 1.1.27 - Unauthenticated PHP Object Injection
8.1
CVE-2026-49781
Jun 4, 2026
Researcher: daroo
OttoKit: All-in-One Automation Platform < 1.1.23 - Unauthenticated SQL Injection
7.5
CVE-2026-4935
May 11, 2026
Researcher: Drew Webber (mcdruid)
OttoKit <= 1.1.20 - Authenticated (Administrator+) SQL Injection
4.9
CVE-2026-39479
Mar 23, 2026
Researcher: timomangcut
OttoKit: All-in-One Automation Platform (Formerly SureTriggers) <= 1.0.82 - Unauthenticated Privilege Escalation
9.8
CVE-2025-27007
Apr 30, 2025
Researcher: Denver Jackson
SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything! <= 1.0.46 - Authenticated (Contributor+) Stored Cross-Site Scripting via Trigger Link Shortcode
6.4
CVE-2024-5485
Jun 3, 2024
Researcher: Krzysztof Zając
SureTriggers <= 1.0.23 - Cross-Site Request Forgery
4.3
CVE-2023-49749
Dec 4, 2023
Researcher: Rafie Muhammad
# Title CVE ID CVSS Researchers Date
1 OttoKit: All-in-One Automation Platform <= 1.1.27 - Unauthenticated PHP Object Injection CVE-2026-49781 8.1 daroo June 4, 2026
2 OttoKit: All-in-One Automation Platform < 1.1.23 - Unauthenticated SQL Injection CVE-2026-4935 7.5 Drew Webber (mcdruid) May 11, 2026
3 OttoKit <= 1.1.20 - Authenticated (Administrator+) SQL Injection CVE-2026-39479 4.9 timomangcut March 23, 2026
4 OttoKit: All-in-One Automation Platform (Formerly SureTriggers) <= 1.0.82 - Unauthenticated Privilege Escalation CVE-2025-27007 9.8 Denver Jackson April 30, 2025
5 SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything! <= 1.0.46 - Authenticated (Contributor+) Stored Cross-Site Scripting via Trigger Link Shortcode CVE-2024-5485 6.4 Krzysztof Zając June 3, 2024
6 SureTriggers <= 1.0.23 - Cross-Site Request Forgery CVE-2023-49749 4.3 Rafie Muhammad December 4, 2023
View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

Copyright 2012-2026 Defiant Inc.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

Copyright 1999-2026 The MITRE Corporation

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation