Vulnerability in WordPress Tatsu Builder Plugin Is under Attack

Experts warn that hackers are massively exploiting an RCE vulnerability (CVE-2021-25094) in the Tatsu Builder plugin for WordPress, which is installed on about 100,000 sites.

According to experts, about 50,000 sites still use the vulnerable version of the plugin, although the patch has been available since early April.

Recall that we also wrote that Malware for iPhone Can Work Even When the Device Is turned off reads.

WordPress Tatsu Builder

Tatsu Builder is a popular plugin that offers template editing features right in the browser. The CVE-2021-25094 vulnerability was discovered by independent researcher Vincent Michel in March of this year, and at the same time the specialist published a PoC exploit. This bug allows remote execution of the arbitrary code on servers with an outdated version of the plugin (all builds before 3.3.12).

The plugin developers released a fix on April 7, 2022 (version 3.3.13) and notified users of the issue via email, urging them to install the patch as soon as possible.

But as Wordfence analysts now report, between 20,000 and 50,000 sites with a vulnerable version of Tatsu Builder are still available on the network, and hackers are already attacking vulnerable resources.

Large waves of attacks began on May 10, 2022 and are still ongoing. Wordfence reports millions of attacks on its clients. The company writes that on May 14 alone it blocked 5.9 million attack attempts.

We began seeing attacks on May 10, 2022. The attacks are ongoing with the volume ramping up to a peak of 5.9 million attacks against 1.4 million sites on May 14, 2022. The attack volume has declined but the attacks are still ongoing at the time of publication.Wordfence specialists explain.

WordPress Tatsu Builder

Experts write that more than a million attacks were made from just three IP addresses: 148.251.183[.]254, 176.9.117[.]218 and 217.160.145[.]62. Site administrators are strongly advised to add these IP addresses to blacklists.

It is reported that in this way, attackers are trying to inject the malware dropper into a subfolder of the wp-content/uploads/typehub/custom/ directory and make it a hidden file. The dropper is named .sp3ctra_XO.php and has an MD5 hash of 3708363c5b7bf582f8477b1c82c8cbf8.

Leave a Comment

About William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.