A serious vulnerability present in the tens of thousands WordPress Researchers warn that websites are being abused in the wild.
Security experts from the Wordfence Threat Intelligence team recently discovered a remote code execution (RCE) vulnerability in a plugin for the popular CMS a platform called Tatsu Builder.
The vulnerability is being tracked as CVE-2021-25094 and was first spotted in late March this year. It is present in both free and premium versions WordPress plugin.
Attackers use a flaw in the WordPress plugin to deploy a dropper that later installs additional malware. The dropper is usually located in a random subfolder in wp-content / uploads / typehub / custom /.
The file name starts with a dot symbol that points to a hidden file. Researchers say it is necessary to exploit the vulnerability because it exploits race conditions.
Given that the plugin is not listed in the WordPress.org repository, Wordfence says, determining exactly how many websites it has installed is very difficult. However, the company estimates that Tatsu Builder uses between 20,000 and 50,000 websites.
Although administrators were warned about the flaw about ten days ago, Wordfence estimates that at least a quarter remain vulnerable, which would mean that 5,000 to 12,500 websites could still be attacked.
The attacks, which began a week ago, are still ongoing, researchers say, adding that the scale of the attack has peaked and has been declining since then.
Most of them are probe attacks that seek to determine whether a website is vulnerable or not. Obviously, most of the attacks came from only three different IP addresses.
Administrators who want to know if they’ve been targeted should check their logs for the following query line: /wp-admin/admin-ajax.php?action=add_custom_font
Those who have the Tatsu Builder plugin installed are recommended to upgrade to the latest version (3.3.13) as soon as possible.