Large-Scale Attack Targeting Tatsu Builder WordPress Plugin

A DoS Flaw That Could Help Take Down WordPress Websites

Hackers are reportedly targeting WordPress sites that use an unknown security version of the Tatsu no-code website builder plugin. As part of a massive attack attacking a vulnerability in the Tatsu Creator plugin, a vast number of WordPress websites could be compromised.

The vulnerability, identified as CVE-2021-25094, also known as the CVSS score of 8.1, exists when one of the supported operations, uploading a zip file extracted within the WordPress upload directory, does not require authentication.

How The Attack Happens

While the plugin has an extension control, you can get around it by inserting a PHP console with a filename that starts with a dot (“.”). Furthermore, an attacker can access the shell file due to a race situation in the extraction process.

Tatsu is the front-page builder that is UI similar to Elementor. Every page will have an “Edit with Tatsu” option when you activate the plugin since it is a fast and flexible live front-end visual page builder. You can update your pages while seeing a quick overview of your edits hence enabling you to see the outcomes as you proceed. Sections, columns, rows, and modules are the basic building blocks of Tatsu.

Due to its straightforward interface, the Tatsu Builder, and a customized plugin that is not accessible in the default WordPress repository, it is believed to have around 20,000 and 50,000 installations. The security flaw in free and premium is still affected by the security flaw editions.

Indicators of Potential Vulnerabilities

Tatsu released an email alert to its subscribers in early April, estimating that a quarter of them are still susceptible in all its installations. The vulnerability, which affects all Tatsu Builder installations before 3.3.13, could be used by external attackers to install malware on vulnerable users.

Threat prevention specialists started probing WordPress websites on May 10 to pursue exploitable versions of its plugin, with the attacks peaking on May 14 at approximately 5.9 million attempts per day.

According to Defiant, the WordPress security firm, the attackers targeted around 1.4 million internet sites on that day. The attack intensity continues to decrease, although it is still occurring. Most of these assaults detected are probing assaults to assess the prevalence of a vulnerable plugin.

According to the firm’s released (IoCs) indications of compromise linked to the campaign, the majority of the assaults were carried out by a small number of Servers, with as few as three of them being used to target over a million websites each. 

The attackers would use a dropper to download a virus to a randomly named subfolder on vulnerable sites. According to Defiant, the dropper is installed as a hidden file. Of course, most of these indicators of infiltration aren’t always reliable, and the perpetrator could change them now that they’ve been made public.

Recommended Protective Measures

Even though an enhanced version of the plugins has since been issued, not all subscribers have installed it, as is familiar with most software, in this instance, the WordPress plugin. It enables hackers to access vulnerable sites.

Most firms pay little care to their websites in terms of their cybersecurity.  The Tatsu vulnerability demonstrates why it’s such a huge error: Websites, which are critical for marketing and income production, are being targeted by hackers, putting consumers and casual users at risk.

As a precaution, everyone in charge of an organization’s website should undertake regular planned maintenance, including the latest plugin updates and security patches. It is essential to observe a strict observance of cyber security precautions if it uses WordPress or perhaps another type of open-source CMS largely reliant on third-party programming, as these are major risk drivers.

Final Remarks

Therefore, users are encouraged to update to Tatsu’s Builder version 3.3.13 as soon as possible because it has a complete solution for the vulnerabilities, with a partial patch being included in version 3.3.12) thus, users are urged to do so as soon as possible.


Leave a Comment


Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password