Dangerous Cyberattacks via “SureTriggers” WordPress Plugin Began Just 4 Hours After Vulnerability Disclosure

On April 10, 2025, only four hours after a critical vulnerability in the popular WordPress plugin SureTriggers was publicly disclosed, active exploitation of the flaw began. This plugin is installed on over 100,000 websites worldwide and has been found to contain a serious authentication bypass vulnerability.

The flaw affects all versions of the plugin up to and including 1.0.78. It allows an unauthenticated attacker to create new administrator accounts without any authorization, completely compromising the security of the site.

The vulnerability lies in how the plugin handles REST API requests. SureTriggers fails to properly validate a custom HTTP header called ST-Authorization. If an invalid or malformed header is submitted, the plugin defaults to a null value. If the site has not been configured with a secret key (which would also default to null), the comparison null == null succeeds, allowing the attacker to bypass the security mechanism entirely.

Attackers’ Goal: Full Administrative Control

Researchers have observed a range of attacks originating from various IP addresses, all attempting to create persistent admin accounts on vulnerable sites. Some of the IP addresses used include:

  • 2a01:e5c0:3167::2
  • 2602:ffc8:2:105:216:3cff:fe96:129f
  • 89.169.15.201
  • 107.173.63.224

To evade detection, attackers frequently change usernames, passwords, and email addresses. This stealthy approach allows them to gain long-term access while remaining under the radar.

What Should Site Owners Do?

Security experts strongly recommend taking the following actions immediately:

  • Update the SureTriggers plugin to the latest version.
  • If immediate updating is not possible, temporarily deactivate the plugin.
  • Check for any new administrator accounts created since April 10.
  • Review recently installed plugins, themes, and content changes.
  • Analyze server logs for suspicious REST API requests.
  • Enable a Web Application Firewall (WAF) for additional protection.

Jane Smith, a cybersecurity expert at WebDefend, commented on the incident:

“The fact that there were only four hours between disclosure and exploitation highlights just how fast-paced the modern cybersecurity landscape has become. Every minute counts!”

Conclusion

This incident serves as a stark reminder: websites powered by platforms like WordPress must be regularly updated, and their plugins and themes constantly monitored. Routine audits and real-time threat detection are essential. Cybercriminals are growing more advanced and persistent — and we must be equally prepared.