Description: Unauthenticated Remote Code Execution Affected Plugin: Tatsu Builder Plugin Slug: tatsu Plugin Developer: BrandExponents Affected Versions: < 3.3.13 CVE ID: CVE-2021-25094 CVSS Score: 8.1 (High) CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Researcher/s: Vincent Michel (darkpills) Fully Patched Version: 3.3.13 Indicators of Attack Most of the attacks we have seen are probing attacks to determine the presence of a vulnerable plugin. These may appear in your logs with the following URL: /wp-admin/admin-ajax.php?action=add_custom_font The vast majority of attacks are the work of just a few IP addresses. The top 3 attacking IP addresses have each attacked over 1 million sites: 148.251.183.254 176.9.117.218 217.160.145.62 An additional 15 IP addresses have each attacked over 100,000 sites: 65.108.104.19 62.197.136.102 51.38.41.15 31.210.20.170 31.210.20.101 85.202.169.175 85.202.169.71 85.202.169.86 85.202.169.36 85.202.169.83 85.202.169.92 194.233.87.7 2.56.56.203 85.202.169.129 135.181.0.188 Indicators of Compromise The most common payload we’ve seen is a dropper used to place additional malware located in a randomly-named subfolder of wp-content/uploads/typehub/custom/ such as wp-content/uploads/typehub/custom/vjxfvzcd. The dropper is typically named .sp3ctra_XO.php and has an MD5 hash of 3708363c5b7bf582f8477b1c82c8cbf8. Note the dot at the beginning as this indicates a hidden file, which is necessary to exploit the vulnerability as it takes advantage of a race condition. This file is detected by the Wordfence scanner. What Should I do? All Wordfence users with the Wordfence Web Application Firewall active, including Wordfence free customers, are protected against this vulnerability. Nonetheless, if you use the Tatsu Builder plugin, we strongly recommend updating to the latest version available, which is 3.3.13 at the time of this writing. Please note that version 3.3.12 contained a partial patch but did not fully address all issues. If you know anyone using the Tatsu Builder plugin on their site, we urge you to forward this article to them as this is a large-scale attack and any vulnerable sites that are not updated and not using some form of a Web Application Firewall are at risk of complete site takeover. If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.