A serious vulnerability present in tens of thousands of WordPress websites is being exploited in the wild, researchers have warned.
Security specialists from the Wordfence Threat Intelligence team recently discovered a remote code execution (RCE) vulnerability in a plugin for the popular CMS platform, called Tatsu Builder.
The vulnerability is identified as CVE-2021-25094 and was first spotted at the end of March this year. It is present in the free and premium versions of the WordPress plugin.
Malware deployment
Attackers use the WordPress plugin flaw to deploy a dropper, which then installs additional malware. The dropper is usually placed in a random subfolder in wp-content/uploads/typehub/custom/.
The file name begins with a dot, indicating a hidden file. The researchers say this is necessary to exploit the vulnerability, as it takes advantage of a race condition.
Since the plugin is not listed on the WordPress.org repository, Wordfence says it’s very difficult to identify exactly how many websites have it installed. Still, the company estimates that between 20,000 and 50,000 websites use Tatsu Builder.
Even though administrators were notified of the flaw about ten days ago, Wordfence estimates that at least a quarter remain vulnerable, which would mean that between 5,000 and 12,500 websites could still be attacked.
The attacks, which began a week ago, are still ongoing, the researchers say, adding that the volume of attacks peaked and has since declined.
Most of them are probing attacks, which seek to determine whether the website is vulnerable or not. Apparently most of the attacks came from just three different IP addresses.
Administrators curious to know if they have been targeted should check their logs for the following query string: /wp-admin/admin-ajax.php?action=add_custom_font
Those who have installed the Tatsu Builder plugin are advised to update to the latest version (3.3.13) as soon as possible.