A serious security flaw has been discovered in the popular WordPress plugin SureTriggers, which is currently installed on over 100,000 websites. Cybercriminals have already started exploiting the vulnerability, raising major concerns across the WordPress community.

The issue was publicly disclosed shortly before the weekend. According to cybersecurity researchers at Patchstack, the attacks began just hours after the vulnerability was announced last Friday. That same day, security experts at Wordfence revealed technical details of the flaw, warning that it allows remote attackers to create administrator-level user accounts without authentication.

The core of the issue lies in the absence of an API key within the plugin. If no key is configured, hackers can exploit the flaw to add new admin users, giving them full control over the affected WordPress site. The vulnerability, officially listed as CVE-2025-3102, carries a CVSS score of 8.1, classifying it as a high-risk threat.

Exploitation Already in the Wild

Patchstack has confirmed that the vulnerability is already being actively abused in real-world attacks. These incidents pose a significant risk for WordPress administrators who have not yet updated their plugin or implemented alternative security measures.

So far, four unique origin IP addresses have been identified in the attacks. Hackers are targeting two specific endpoints on affected sites:

• /?rest_route=/wp-json/sure-triggers/v1/automation/action

• /wp-json/sure-triggers/v1/automation/action

Through these endpoints, attackers are generating new admin accounts with randomly created usernames, which vary with each intrusion attempt.

Update Urgently Recommended

In response to the threat, the developers behind SureTriggers have released a patched version—1.0.79—which addresses the flaw. Website owners using the plugin are strongly urged to verify that they are running this latest version.

In addition to updating, users should carefully inspect their WordPress user list for any unfamiliar or newly created administrator accounts. If found, these accounts should be removed immediately, and further security steps—including password resets and API key configuration—should be considered.

This incident serves as a stark reminder of the importance of keeping plugins up to date and regularly auditing website security, especially when using third-party tools with deep system access.