Millions Of Attacks Target Tatsu Builder Plugin
The Wordfence Threat Intelligence team has been tracking a large-scale attack against a Remote Code Execution vulnerability in Tatsu Builder, which is tracked by CVE-2021-25094 and was publicly disclosed on March 24, 2022, by an independent security researcher. The issue is present in vulnerable versions of both the free and premium Tatsu Builder plugin.
The following is a graph showing the total volume of attacks targeting the vulnerability in Tatsu Builder.
Indicators of Attack
Most of the attacks we have seen are probing attacks to determine the presence of a vulnerable plugin. These may appear in your logs with the following query string:
The vast majority of attacks are the work of just a few IP addresses.
The top 3 attacking IPs have each attacked over 1 million sites:
An additional 15 IPs have each attacked over 100,000 sites:
Indicators of Compromise
The most common payload we’ve seen is a dropper used to place additional malware located in a randomly-named subfolder of
wp-content/uploads/typehub/custom/ such as
The dropper is typically named
.sp3ctra_XO.php and has an MD5 hash of
Note the dot at the beginning as this indicates a hidden file, which is necessary to exploit the vulnerability as it takes advantage of a race condition.
This file is detected by the Wordfence scanner.
If you use the Tatsu Builder plugin, we strongly recommend updating to the latest version available, which is 3.3.13 at the time of this writing. Please note that version 3.3.12 contained a partial patch but did not fully address all issues.