A remote code execution vulnerability in the Tatsu Builder plugin for WordPress, which is deployed on roughly 100,000 websites, is being widely exploited by hackers.
Although a patch has been available since early April, it is anticipated that up to 50,000 websites still use a vulnerable version of the plugin.
On May 10, 2022, large attack waves began and peaked four days later. Exploitation is still going on.
Tatsu Builder is a well-known plugin that integrates strong template modification features directly into the web browser.
CVE-2021-25094 is the targeted vulnerability, which allows a remote attacker to execute arbitrary code on servers using an older version of the plugin (all builds before 3.3.12).
Independent researcher Vincent Michel discovered the weakness and publicly revealed it on March 28, 2022, along with proof of concept (PoC) exploit code.
On April 7, 2022, the vendor released a patch for version 3.3.13 and notified users by email, asking them to update.
Wordfence, a business that provides protection for WordPress plugins, has been keeping an eye on the latest attacks. According to the researchers, between 20,000 and 50,000 websites use a vulnerable version of Tatsu Builder.
Attack specifics
On May 14, 2022, Wordfence reported seeing millions of attacks against its clients, preventing a stunning 5.9 million of them.
The volume has decreased in recent days, but exploitation efforts have remained high.
The threat actors try to hide a malware dropper by placing it in a subfolder of the “wp-content/uploads/typehub/custom/” directory.
The dropper’s MD5 hash is 3708363c5b7bf582f8477b1c82c8cbf8 and its name is “.sp3ctra_XO.php.”
More than a million attacks were reported by Wordfence from just three IP addresses:
148.251.183.254
176.9.117.218
217.160.145.62
52.189.119.150
It is recommended that website administrators add these IPs to their blocklist.
Of course, these indicators of compromise aren’t permanent, and the attacker could change them now that they’ve been published publicly.
To prevent attack risks, all Tatsu Builder plugin users are highly advised to upgrade to version 3.3.13.
