A serious vulnerability present in tens of thousands of WordPress websites is being abused in the wild, researchers have warned.
Security specialists from the Wordfence Threat Intelligence team recently discovered a remote code execution (RCE) vulnerability in a plugin for the popular CMS platform, called Tatsu Builder.
The vulnerability is tracked as CVE-2021-25094, and was first spotted in late March this year. It’s present in both free and premium versions of the WordPress plugin.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
The attackers are using the flaw in the WordPress plugin to deploy a dropper, which later installs additional malware (opens in new tab). The dropper is usually placed in a random subfolder in wp-content/uploads/typehub/custom/.
The file name starts with a full stop symbol, indicating a hidden file. The researchers are saying this is necessary to exploit the vulnerability, as it takes advantage of a race condition.
Given that the plugin is not listed on the WordPress.org repository, Wordfence says, identifying exactly how many websites have it installed is very hard. Still, the company estimates that anywhere between 20,000 and 50,000 websites utilize Tatsu Builder.
Even though administrators were warned of the flaw some ten days ago, Wordfence believes at least a quarter remain vulnerable, which would mean anywhere between 5,000 and 12,500 websites can still be attacked.
> WordPress plugin vulnerability exposed millions of websites to attack (opens in new tab)
> Nasty WordPress plugin bug puts thousands of sites at risk (opens in new tab)
> Yet another WordPress plugin puts hundreds of thousands of sites at risk (opens in new tab)
The attacks, which began a week ago, are still ongoing, the researchers are saying, adding that the attack volume peaked and has been dropping ever since.
Most of them are probing attacks, which seek to determine if the website is vulnerable or not. Apparently, most of the attacks came from just three different IPs.
Admins curious to see if they had been targeted should check their logs for the following query string: /wp-admin/admin-ajax.php?action=add_custom_font
Those with the Tatsu Builder plugin installed are urged to update to the latest version (3.3.13) as soon as possible.
- These are the best endpoint protection services right now (opens in new tab)