Hackers exploit flaw in WordPress Tatsu Builder plugin

Wordfence has discovered that some hackers are massively exploiting a flaw in the WordPress Tatsu Builder plugin.

Taking advantage of the fact that WordPress is one of the most used CMS (Content Management System) today, some hackers are massively exploiting a remote code execution vulnerability, CVE-2021-25094in the Tatsu Builder plugin for WordPress, which is installed on approximately 100,000 websites.

Hackers exploit flaw in WordPress Tatsu Builder plugin

Tatsu Builder is a popular plugin that offers powerful model editing capabilities built right into your web browser. It is estimated that up to 50,000 sites are still running a vulnerable version of the plugin, although a patch has been available since early April.

Large waves of attacks began on May 10, 2022 and peaked four days later. Exploration is ongoing.

The targeted vulnerability is CVE-2021-25094, it allows a remote attacker to execute arbitrary code on servers with an outdated version of the plugin (all versions prior to 3.3.12).

The flaw was discovered by independent researcher Vincent Michel, who publicly disclosed on March 28, 2022, as well as the exploitation code of proof of concept (PoC, proof of concept).

The vendor released a patch in version 3.3.13 and alerted users via email on April 7, 2022, asking them to apply the update.

Hackers exploit flaw in WordPress Tatsu Builder plugin
Hackers Exploit Flaw in WordPress Tatsu Builder Plugin – Number of Sites Attacked (Wordfence)

Wordfence, a company that offers a security solution for WordPress plugins, monitors ongoing attacks. Researchers estimate that there are between 20,000 and 50,000 websites running a vulnerable version of Tatsu Builder.

Attack Details

Wordfence reports having seen millions of attacks against its customers, blocking 5.9 million attempts as of May 14, 2022.

Hackers exploit flaw in WordPress Tatsu Builder plugin
Hackers Exploit Flaw in WordPress Tatsu Builder Plugin – Attacks Detected and Blocked by Wordfence

Volume decreased in the following days, but exploration efforts remain at high levels.

Threat actors attempt to inject a dropper of malware into a subfolder of the “wp-content/uploads/typehub/custom/” directory and make it a hidden file.

Extension file check function by skipping hidden files (darkpills)
Extension file check function by skipping hidden files (darkpills)

The dropper is named “.sp3ctra_XO.php” and has an MD5 hash of 3708363c5b7bf582f8477b1c82c8cbf8.

A word barrier reports that over a million attacks came from just three IP addresses: 148,251,183[.]254, 176.9.117[.]218 and 217.160.145[.]62. Site administrators are advised to add these IPs to the block list.

Of course, these indicators of compromise are not stable and the attacker can switch to others, especially now that they have been publicly exposed.

It is strongly recommended that all users of the Tatsu Builder plugin update to version 3.3.13 to avoid the risk of an attack.

Leave a Comment