CVE-2025-3102
Published: 10 April 2025
Summary
CVE-2025-3102 is a high-severity Incorrect Comparison (CWE-697) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The SureTriggers All-in-One Automation Platform plugin for WordPress is affected by an authentication bypass vulnerability in all versions through 1.0.78. The flaw stems from a missing empty-value check on the secret_key parameter inside the authenticate_user function, which permits unauthenticated requests to succeed when the plugin is installed and activated without an API key configured.
Unauthenticated attackers can exploit the issue over the network to create new administrator accounts on the target site, achieving full control over the WordPress installation. The CVSS 8.1 rating reflects the high impact on confidentiality, integrity, and availability combined with the attack complexity of requiring the plugin to be in an unconfigured state.
Public references point to a fix committed in the WordPress plugin repository that addresses the missing validation, and the Wordfence advisory recommends updating to a patched release. The associated EPSS score has reached a peak of 0.8844 with a current value of 0.8353, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-10494
Vulnerability details
The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and…
more
including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.