CVE-2021-25094

moderate-risk

Published 2022-04-25

The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.

Do I need to act?

91.4% chance of exploitation in next 30 days

EPSS score — higher than 9% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

52260

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.1/10 High

NETWORK / HIGH complexity

Affected Products (1)

Tatsu

Affected Vendors

Brandexponents

References (8)

Exploit http://packetstormsecurity.com/files/167190/WordPress-Tatsu-Builder-Remote-Code-...

Exploit https://darkpills.com/wordpress-tatsu-builder-preauth-rce-cve-2021-25094/

Exploit https://wpscan.com/vulnerability/fb0097a0-5d7b-4e5b-97de-aacafa8fffcd

Exploit http://packetstormsecurity.com/files/167190/WordPress-Tatsu-Builder-Remote-Code-...

Exploit https://darkpills.com/wordpress-tatsu-builder-preauth-rce-cve-2021-25094/

https://packetstorm.news/files/id/190566/

Exploit https://wpscan.com/vulnerability/fb0097a0-5d7b-4e5b-97de-aacafa8fffcd

https://www.exploit-db.com/exploits/52260

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 20/34 · Moderate

Exposure 5/34 · Minimal