Exploitation of CVE-2021-25094, a remote code execution vulnerability in the popular Tatsu Builder plugin for WordPress, has seen a heavy increase in exploitation in the wild. A large wave of attacks against systems vulnerable to this exploit started on May 10th and is still ongoing.
CVE-2021-25094 works by uploading a rogue ZIP file via the plugin’s “add_custom_font” action. This occurs prior to authentication and becomes uncompressed under WordPress’ upload directory. If the ZIP file contains a PHP shell with a filename starting with a dot, a race condition occurs where extension control in the plugin is bypassed and the file lives long enough on the filesystem to be called by an attacker. These attacks have been seen using a PHP shell named “.sp3ctra_XO.php” to achieve remote execution on the vulnerable system.
Nearly 50,000 websites are estimated to still be running a vulnerable version of the plugin. At the attack’s peak on May 14th, nearly 5.9 million exploit attempts were detected across the Internet.
The vulnerability in the Tatsu plugin has been fixed since patch 3.3.13, so it is highly recommended to upgrade any vulnerable WordPress instances to this version to prevent exploitation. It is also highly recommended to enable automatic WordPress updates for plugins and themes to help make sure that vulnerabilities are fixed as patches are released for them. The report mentions that nearly a million attacks came from the following three IP addresses:
While threat actors will quickly rotate the systems they launch their attacks from, due to the high number of attacks stemming from these specific IPs, it is recommended to add them to blocklists to help prevent potential exploitation. Finally, the dropper used in this attack is placed into a randomly-named subfolder under “wp-content/uploads/typehub/custom.” To determine if a WordPress site has been compromised in this attack, it is recommended to look for a file called “.sp3ctra_XO.php” under this directory. If it is present, or if there is any other suspicious looking PHP file under this location, it is recommended to perform a full forensic analysis of the WordPress site to determine what malicious activity has occurred.