Tatsu Builder is a popular plugin that integrates very effective template modification tools directly into the user’s web browser.

What Happened?

Hackers are making extensive use of a remote code execution vulnerability known as CVE-2021-25094 that is present in the Tatsu Builder plugin for WordPress. This plugin is used on about 100,000 different websites.

The vulnerability that is being targeted is known as CVE-2021-25094, and it enables an external attacker to execute arbitrary code on servers that have an out-of-date version of the plugin (all builds before 3.3.12).

The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress’s upload directory. By adding a PHP shell with a filename starting with a dot “.”, this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.


Wordfence, a company that offers a safety solution for plugins that are used with WordPress, has been keeping a close watch on the latest attacks. The number of websites that utilize a vulnerable version of Tatsu Builder is estimated to vary anywhere from 20,000 to 50,000 by the researchers who conducted the study.

The Wordfence Threat Intelligence team has been tracking a large-scale attack against a Remote Code Execution vulnerability in Tatsu Builder, which is tracked by CVE-2021-25094 and was publicly disclosed on March 24, 2022 by an independent security researcher. The issue is present in vulnerable versions of both the free and premium Tatsu Builder plugin. Tatsu Builder is a proprietary plugin that is not listed on the repository, so reliable installation counts are not available, but we estimate that the plugin has between 20,000 and 50,000 installations. Tatsu sent an urgent email notification to all of their customers on April 7th advising them to update, but we estimate that at least a quarter of remaining installations are still vulnerable.


Wordfence has said that its clients have been the target of millions of assaults, and the company has successfully thwarted an astounding 5.9 million attempts as of May 14th. The subsequent days saw a decrease in volume, but the degree of exploitation activities remained strong during this time.

As BleepingComputer reports, the malicious actors try to insert a malware dropper into a subdirectory of the directory “wp-content/uploads/typehub/custom/” and then hide the file they create with that dropper.

The dropper file is identified by the name “.sp3ctra XO.php,” and its MD5 hash value is 3708363c5b7bf582f8477b1c82c8cb8.

According to Wordfence’s findings, almost one million assaults originated from only three IP addresses:


Website administrators are strongly encouraged to include these IP addresses in their existing blocklists.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Malware as a Service (MaaS). What It Is and How It Can Threaten Your Business?

25 Free & Open Source Cybersecurity Tools for Businesses

Vulnerabilities Found in a WordPress Plugin Are Posing Remote Code Execution Risks

Comments and belong to, belongs to I have reported these, and other IPs from which .sp3ctra XO.php was dropped onto my servers.

I received NO REPLY.

Leave a Reply

Your email address will not be published. Required fields are marked *