Skip to content

Add CVE-2025-27007 in existing exploit(multi/http/wp_suretriggers_auth_bypass) module #20187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add CVE-2025-27007 in existing exploit(multi/http/wp_suretriggers_auth_bypass) module #20187

wants to merge 1 commit into from

Conversation

Chocapikk
Copy link
Contributor

Hello Metasploit Team,

This change extends the existing SureTriggers/OttoKit Metasploit module by adding support for CVE-2025-27007 alongside the already implemented CVE-2025-3102 flow. Rather than splitting into two modules, both authorization bypass vulnerabilities are handled in one combined exploit since they share common endpoints and can be chained.

Verification

  • Start msfconsole
  • use exploit/multi/http/wp_suretriggers_auth_bypass
  • set RHOSTS <target>
  • set TARGETURI <path>
  • set WP_USER <user>
  • set WP_PASS <password>
  • set ACTION CVE-2025-3102 and run; Verify admin creation and payload execution
  • set ACTION CVE-2025-27007 and run; Verify access key reset, admin creation, and payload execution
  • Verify the check method correctly detects both CVEs
  • Document the combined module in documentation/modules/exploit/multi/http/wp_suretriggers_auth_bypass.md

@bwatters-r7 bwatters-r7 self-assigned this May 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@bwatters-r7 bwatters-r7

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Chocapikk @bwatters-r7