Hackers are targeting WordPress sites that use an unknown security version of the Tatsu no-code website builder plugin. As part of a massive attack attacking a vulnerability of the Tatsu Creator plugin, a large number of WordPress websites can be compromised.
A vulnerability identified as CVE-2021-25094, also known as CVSS Score 8.1, exists when one of the supported activities, uploading a zip file extracted in the WordPress upload directory, does not require authentication.
How the attack happens
While the plugin has an extension control, you can get around it by inserting a PHP console with the name of a file starting with a dot (“.”). In addition, an attacker can access the shell file due to race conditions in the extraction process.
Tatsu is a front-page builder that looks like a UI element. Each page will have an “Edit with Tatsu” option when you activate the plugin as it is a fast and flexible live front-end visual page builder. A quick overview of your edits allows you to update your pages so you can see the results as you go along. The sections, columns, rows and modules are the basic building blocks of Tatsur.
Due to its intuitive interface, Tatsu Builder and a customized plugin that is not accessible to the default WordPress repository, it is thought to have around 20,000 and 50,000 installations. Free and premium security bugs are still affected by the security bug version.
Indicators of potential vulnerability
Tatsu issued an email alert to its customers in early April, estimating that a quarter of them are still sensitive to all of its installations. Vulnerability, which affects all Tatsu Builder installations prior to 3.3.13, can be used by external attackers to install malware on vulnerable users.
Threatening experts began searching for WordPress websites on May 10 to track exploitative versions of its plugins, with attacks peaking at an estimated 5.9 million attempts per day on May 14.
The attackers targeted about 1.4 million Internet sites that day, according to WordPress security firm Defiant. The intensity of the attack continues to decline, although it is still happening. Most of these identified attacks are investigating attacks to assess the prevalence of a vulnerable plugin.
Most of the attacks were carried out by a small number of servers, three of which were used to target more than a million websites, according to indications of compromises associated with the firm’s published (IoCs) campaign.
Attackers will use a dropper to download a virus to randomly named subfolders on vulnerable sites. According to Defiant, the dropper is installed as a hidden file. Of course, most of these intrusion indicators are not always reliable, and criminals can change them now that they are public.
Proposed protective measures
Although an improved version of the plugin has been released, not all customers have installed it, as is familiar with most software, for example, the WordPress plugin. This enables hackers to access vulnerable sites.
Most companies take little care of their websites in terms of their cyber security. Tatsu’s vulnerability demonstrates why this is such a big mistake: websites, which are important for marketing and revenue generation, are being targeted by hackers, putting consumers and casual users at risk.
As a precaution, everyone in charge of an organization’s website should have regular planned maintenance including the latest plugin updates and security patches. Cyber security precautions must be strictly adhered to if it uses WordPress or perhaps relies on other types of open-source CMS third-party programming, as these are the main risk drivers.
Final comment
Therefore, users are encouraged to update Tatsu’s builder version 3.3.13 as soon as possible as it contains a complete solution for vulnerabilities, a partial patch included in version 3.3.12). Requesting as much as possible.
