Cybercriminals Target Tatsu WordPress Plugin in Numerous Attacks 

Cybercriminals Target Tatsu WordPress Plugin in Numerous Attacks 

A remote code execution flaw (CVE-2021-25094) in the Tatsu Builder plugin for WordPress, which is deployed on roughly 100,000 websites, is being widely exploited by hackers. Although a fix has been available since early April, it is anticipated that up to 50,000 websites still use a vulnerable version of the plugin. 

Massive attack waves began on May 10, 2022, and peaked four days later. Exploitation is still going on. Tatsu Builder is a well-known plugin that directly integrates vital template modification tools into the web browser. 

CVE-2021-25094 is the targeted vulnerability, which allows a remote attacker to execute arbitrary code on servers using an older version of the plugin (all builds prior to 3.3.12). Independent researcher Vincent Michel identified the weakness and publicly revealed it on March 28, 2022, along with proof of concept (PoC) exploit code. 

On April 7, 2022, the vendor published a patch for version 3.3.13 and notified users by email, asking them to update. Wordfence, a business that provides protection for WordPress plugins, has been keeping an eye on the latest cyberattacks. According to the researchers, between 20,000 and 50,000 websites use a vulnerable version of Tatsu Builder. 

On May 14, 2022, Wordfence reported spotting millions of cyberattacks against its clients, preventing 5.9 million of them. The volume has decreased in recent days, but exploitation attempts have remained high. The threat actors try to hide a malware dropper by placing it in a subdirectory of the “wp-content/uploads/typehub/custom/” directory. 

The dropper’s MD5 hash is 3708363c5b7bf582f8477b1c82c8cbf8 and its name is “.sp3ctra XO.php.” More than a million cyberattacks were reported by Wordfence from only three IP addresses: 148.251.183[.]254, 176.9.117[.]218, and 217.160.145[.] 62. It is recommended that website administrators add these IPs to their blocklist. 

Of course, these signs of compromise aren’t permanent, and the attacker may change them now that they’ve been published publicly. To prevent attack risks, all Tatsu Builder plugin users are highly advised to upgrade to version 3.3.13. 

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.