Wordfence has discovered that some hackers are massively exploiting a flaw in the WordPress Tatsu Builder plugin.
Taking advantage of the fact that WordPress is one of the most used CMS (Content Management System) today, some hackers are massively exploiting a remote code execution vulnerability, CVE-2021-25094in the Tatsu Builder plugin for WordPress, which is installed on approximately 100,000 websites.
Hackers exploit flaw in WordPress Tatsu Builder plugin
Tatsu Builder is a popular plugin that offers powerful model editing capabilities built right into your web browser. It is estimated that up to 50,000 sites are still running a vulnerable version of the plugin, although a patch has been available since early April.
Large waves of attacks began on May 10, 2022 and peaked four days later. Exploration is ongoing.
The targeted vulnerability is CVE-2021-25094, it allows a remote attacker to execute arbitrary code on servers with an outdated version of the plugin (all versions prior to 3.3.12).
The vendor released a patch in version 3.3.13 and alerted users via email on April 7, 2022, asking them to apply the update.
Wordfence, a company that offers a security solution for WordPress plugins, monitors ongoing attacks. Researchers estimate that there are between 20,000 and 50,000 websites running a vulnerable version of Tatsu Builder.
Wordfence reports having seen millions of attacks against its customers, blocking 5.9 million attempts as of May 14, 2022.
Volume decreased in the following days, but exploration efforts remain at high levels.
Threat actors attempt to inject a dropper of malware into a subfolder of the “wp-content/uploads/typehub/custom/” directory and make it a hidden file.
The dropper is named “.sp3ctra_XO.php” and has an MD5 hash of 3708363c5b7bf582f8477b1c82c8cbf8.
A word barrier reports that over a million attacks came from just three IP addresses: 148,251,183[.]254, 176.9.117[.]218 and 217.160.145[.]62. Site administrators are advised to add these IPs to the block list.
Of course, these indicators of compromise are not stable and the attacker can switch to others, especially now that they have been publicly exposed.
It is strongly recommended that all users of the Tatsu Builder plugin update to version 3.3.13 to avoid the risk of an attack.