Cyber Resilience

CVE-2025-3102

High

Published: 10 April 2025

Published
10 April 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8353 99.3th percentile
Risk Priority 66 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-3102 is a high-severity Incorrect Comparison (CWE-697) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The SureTriggers All-in-One Automation Platform plugin for WordPress is affected by an authentication bypass vulnerability in all versions through 1.0.78. The flaw stems from a missing empty-value check on the secret_key parameter inside the authenticate_user function, which permits unauthenticated requests to succeed when the plugin is installed and activated without an API key configured.

Unauthenticated attackers can exploit the issue over the network to create new administrator accounts on the target site, achieving full control over the WordPress installation. The CVSS 8.1 rating reflects the high impact on confidentiality, integrity, and availability combined with the attack complexity of requiring the plugin to be in an unconfigured state.

Public references point to a fix committed in the WordPress plugin repository that addresses the missing validation, and the Wordfence advisory recommends updating to a patched release. The associated EPSS score has reached a peak of 0.8844 with a current value of 0.8353, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and…

more

including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References