Hackers are massively exploiting a remote code execution vulnerability, CVE-2021-25094, in the Tatsu Builder plugin for WordPress, which is installed on about 100,000 websites.
Up to 50,000 websites are estimated to still run a vulnerable version of the plugin, although a patch has been available since early April.
Large attack waves started on May 10, 2022 and peaked four days later. Exploitation is currently ongoing.
Tatsu Builder is a popular plugin that offers powerful template editing features integrated right into the web browser.
The targeted vulnerability is CVE-2021-25094, allows a remote attacker to execute arbitrary code on the servers with an outdated version of the plugin (all builds before 3.3.12).
The vendor released a patch in version 3.3.13 and alerted users via email on April 7, 2022, urging them to apply the update.
Wordfence, a company offering a security solution for WordPress plugins, has been monitoring the current attacks. The researchers estimate that there are between 20,000 and 50,000 websites that run a vulnerable version of Tatsu Builder.
Wordfence reports seeing millions of attacks against its customers, blocking a whopping 5.9 million attempts on May 14, 2022.
The volume has declined in the following days, but exploitation efforts continue at high levels.
The threat actors attempt to inject a malware dropper into a subfolder of the “wp-content/uploads/typehub/custom/” directory and make it a hidden file.
The dropper is named “.sp3ctra_XO.php” and has an MD5 hash of 3708363c5b7bf582f8477b1c82c8cbf8.
Wordfence reports that more than a million attacks came from just three IP addresses: 148.251.183[.]254, 176.9.117[.]218, and 217.160.145[.]62. Website administrators are advised to add these IPs to their blocklist.
Of course, these indicators of compromise aren’t stable and the attacker could switch to different ones, especially now that they have been publicly exposed.
All users of the Tatsu Builder plugin are strongly recommended to upgrade to version 3.3.13 to avoid attack risks.