Skip to main content

Serious WordPress plugin vulnerability abused to attack thousands of websites

WordPress 5.9 Beta 1
(Image credit: WordPress)

A serious vulnerability present in tens of thousands of WordPress websites is being abused in the wild, researchers have warned.

Security specialists from the Wordfence Threat Intelligence team recently discovered a remote code execution (RCE) vulnerability in a plugin for the popular CMS platform, called Tatsu Builder.

The vulnerability is tracked as CVE-2021-25094, and was first spotted in late March this year. It’s present in both free and premium versions of the WordPress plugin

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.

Deploying malware

The attackers are using the flaw in the WordPress plugin to deploy a dropper, which later installs additional malware (opens in new tab). The dropper is usually placed in a random subfolder in wp-content/uploads/typehub/custom/.

The file name starts with a full stop symbol, indicating a hidden file. The researchers are saying this is necessary to exploit the vulnerability, as it takes advantage of a race condition.

Given that the plugin is not listed on the WordPress.org repository, Wordfence says, identifying exactly how many websites have it installed is very hard. Still, the company estimates that anywhere between 20,000 and 50,000 websites utilize Tatsu Builder.

Even though administrators were warned of the flaw some ten days ago, Wordfence believes at least a quarter remain vulnerable, which would mean anywhere between 5,000 and 12,500 websites can still be attacked. 

The attacks, which began a week ago, are still ongoing, the researchers are saying, adding that the attack volume peaked and has been dropping ever since.

Most of them are probing attacks, which seek to determine if the website is vulnerable or not. Apparently, most of the attacks came from just three different IPs.

Admins curious to see if they had been targeted should check their logs for the following query string: /wp-admin/admin-ajax.php?action=add_custom_font

Those with the Tatsu Builder plugin installed are urged to update to the latest version (3.3.13) as soon as possible.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.