Millions of Cyberattacks Are Targeting Tatsu WordPress Plugin

Tatsu Builder is a popular plugin that integrates very effective template modification tools directly into the user’s web browser.

What Happened?

Hackers are making extensive use of a remote code execution vulnerability known as CVE-2021-25094 that is present in the Tatsu Builder plugin for WordPress. This plugin is used on about 100,000 different websites.

The vulnerability that is being targeted is known as CVE-2021-25094, and it enables an external attacker to execute arbitrary code on servers that have an out-of-date version of the plugin (all builds before 3.3.12).

The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress’s upload directory. By adding a PHP shell with a filename starting with a dot “.”, this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.


Wordfence, a company that offers a safety solution for plugins that are used with WordPress, has been keeping a close watch on the latest attacks. The number of websites that utilize

Read More: