A serious vulnerability present in tens of thousands of WordPress websites is being abused in the wild, researchers have warned.
Security specialists from the Wordfence Threat Intelligence team recently discovered a remote code execution (RCE) vulnerability in a plugin for the popular CMS platform, called Tatsu Builder.
The vulnerability is tracked as CVE-2021-25094, and was first spotted in late March this year. It’s present in both free and premium versions of the WordPress plugin.
Deploying malware
The attackers are using the flaw in the WordPress plugin to deploy a dropper, which later installs additional malware. The dropper is usually placed in a random subfolder in inc/uploads/typehub/custom/.
The file name starts with a full stop symbol, indicating a hidden file. The researchers are saying this is necessary to exploit the vulnerability, as it takes advantage of a race condition.
Given that the plugin is not listed on the WordPress.org repository, Wordfence says, identifying exactly how many websites have it installed is very hard. Still, the company estimates that anywhere between 20,000 and 50,000 websites utilize Tatsu Builder.
Even though administrators were warned of the flaw some ten days ago, Wordfence believes at least a quarter remain vulnerable, which would mean anywhere between 5,000 and 12,500 websites can still be attacked.
The attacks, which began a week ago, are still ongoing, the researchers are saying, adding that the attack volume peaked and has been dropping ever since.
Most of them are probing attacks, which seek to determine if the website is vulnerable or not. Apparently, most of the attacks came from just three different IPs.
Admins curious to see if they had been targeted should check their logs for the following query string: /ajax?action=add_custom_font
Those with the Tatsu Builder plugin installed are urged to update to the latest version (3.3.13) as soon as possible.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba