A serious vulnerability present in tens of thousands of WordPress websites is being abused in the wild, researchers have warned.
Security specialists from the Wordfence Threat Intelligence team recently discovered a remote code execution (RCE) vulnerability in a plugin for the popular CMS platform, called Tatsu Builder.
The vulnerability is tracked as CVE-2021-25094, and was first spotted in late March this year. It’s present in both free and premium versions of the WordPress plugin.
Deploying malware
The attackers are using the flaw in the WordPress plugin to deploy a dropper, which later installs additional malware. The dropper is usually placed in a random subfolder in wp-content/uploads/typehub/custom/.
The file name starts with a full stop symbol, indicating a hidden file. The researchers are saying this is necessary to exploit the vulnerability, as it takes advantage of a race condition.
Given that the plugin is not listed on the WordPress.org repository, Wordfence says, identifying exactly how many websites have it installed is very hard. Still, the company estimates that anywhere between 20,000 and 50,000 websites utilize Tatsu Builder.
Even though administrators were warned of the flaw some ten days ago, Wordfence believes at least a quarter remain vulnerable, which would mean anywhere between 5,000 and 12,500 websites can still be attacked.
The attacks, which began a week ago, are still ongoing, the researchers are saying, adding that the attack volume peaked and has been dropping ever since.
Most of them are probing attacks, which seek to determine if the website is vulnerable or not. Apparently, most of the attacks came from just three different IPs.
Admins curious to see if they had been targeted should check their logs for the following query string: /wp-admin/admin-ajax.php?action=add_custom_font
Those with the Tatsu Builder plugin installed are urged to update to the latest version (3.3.13) as soon as possible.
