Experts warn that hackers are massively exploiting an RCE vulnerability (CVE-2021-25094) in the Tatsu Builder plugin for WordPress, which is installed on about 100,000 sites. According to experts, about 50,000 sites still use the vulnerable version of the plugin, although the patch has been available since early April.
Tatsu Builder is a popular plugin that offers template editing features right in the browser. The CVE-2021-25094 vulnerability was discovered by independent researcher Vincent Michel in March of this year, and at the same time the specialist published a PoC exploit. This bug allows you to remotely execute arbitrary code on servers with an outdated version of the plugin (all builds before 3.3.12).
The plugin developers released a fix on April 7, 2022 (version 3.3.13) and notified users of the issue via email, urging them to install the patch as soon as possible. But as Wordfence analysts now report, between 20,000 and 50,000 sites with a vulnerable version of Tatsu Builder are still available on the network, and hackers are already attacking vulnerable resources.
Large waves of attacks began on May 10, 2022 and are still ongoing. Wordfence reports millions of attacks on its clients. The company writes that on May 14 alone it blocked 5.9 million attack attempts. And although in recent days the activity of intruders has decreased, there are still a lot of attacks.
Experts write that more than a million attacks were made from just three IP addresses: 148.251.183[.]254, 176.9.117[.]218, and 217.160.145[.]62. Site administrators are strongly advised to add these IP addresses to blacklists.
It is reported that in this way, attackers try to inject the malware dropper into a subfolder of the wp-content/uploads/typehub/custom/ directory and make it a hidden file. The dropper is called .sp3ctra_XO.php and has an MD5 hash of 3708363c5b7bf582f8477b1c82c8cbf8.