Exploitation of CVE-2021-25094, a remote code execution vulnerability in the popular Tatsu Builder plugin for WordPress, has seen a heavy increase in exploitation in the wild. A large wave of attacks against systems vulnerable to this exploit started on May 10th and is still ongoing.
CVE-2021-25094 works by uploading a rogue ZIP file via the plugin’s “add_custom_font” action. This occurs prior to authentication and becomes uncompressed under WordPress’ upload directory. If the ZIP file contains a PHP shell with a filename starting with a dot, a race condition occurs where extension control in the plugin is bypassed and the file lives long enough on the filesystem to be called by an attacker. These attacks have been seen using a PHP shell named “.sp3ctra_XO.php” to achieve remote execution on the vulnerable system.
Nearly 50,000 websites are estimated to still be running a vulnerable version of the plugin. At the attack’s peak on May 14th, nearly 5.9 million exploit attempts were detected across the Internet.