December 9, 2023

A RCE flaw tracked as  CVE-2021-25094 in the Tatsu Builder plugin for WordPress, which is deployed on roughly 100,000 websites, is being widely exploited by hackers.

Even though a fix has been available since early April, it is noted that nearly 50,000 websites still use a vulnerable version of the plugin.


Tatsu Builder is a well-known plugin that directly integrates vital template modification tools into the web browser. Exploit started on May 10th 2022 and still it’s peaking to higher numbers.

CVE-2021-25094 is the targeted vulnerability, allowing a remote attacker to execute arbitrary code on servers using an older version of the plugin -all builds prior to 3.3.12. Researchers released exploit PoC code.

On April 7, 2022, the vendor published a patch for version 3.3.13 and notified users by email, asking them to update. Wordfence, a business that provides protection for WordPress plugins, has been keeping an eye on the latest cyberattacks. According to the researchers, between 20,000 and 50,000 websites use a vulnerable version of Tatsu Builder.

On May 14, 2022, Wordfence reported spotting millions of cyberattacks against its clients, preventing 5.9 million of them. The volume has decreased in recent days, but exploitation attempts have remained high. The threat actors try to hide a malware dropper by placing it in a subdirectory of the “wp-content/uploads/typehub/custom/” directory.


To prevent attack risks, all Tatsu Builder plugin users are highly advised to upgrade to version 3.3.13.

Indicators of Compromise

  • 3708363c5b7bf582f8477b1c82c8cbf8
  • 148.251.183[.]254
  • 176.9.117[.]218
  • 217.160.145[.] 62

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.