CVE-2021-25094
published 2022-04-25CVE-2021-25094: The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under…
PriorityP186high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
83.53%
99.6th percentile
The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| brandexponents | tatsu | < 3.3.12 | 3.3.12 |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-content/uploads/typehub/custom/{{to_lower(filename)}}/.{{filename}}.php
- →Detect unauthenticated POST requests to /wp-admin/admin-ajax.php with action=add_custom_font containing a multipart ZIP file upload — no authentication cookies or nonce required. ↗
- →Alert on creation or access of dot-prefixed PHP files (e.g., /.*.php or /.*.png) under /wp-content/uploads/typehub/custom/ — the leading dot is used to bypass the plugin's extension control. ↗
- →Monitor for rapid sequential HTTP requests: a POST to admin-ajax.php (upload) immediately followed by a GET/POST to /wp-content/uploads/typehub/custom/<name>/.<shell>.php — indicative of race-condition exploitation. ↗
- →Detect POST requests to dot-prefixed PHP/PNG files under /wp-content/uploads/typehub/custom/ with a 'text' POST parameter containing base64-encoded data — this is the shell execution step. ↗
- →Flag creation of .htaccess files containing 'AddType application/x-httpd-php .png' under the uploads/typehub/custom/ directory — used by the htaccess technique to execute PNG files as PHP. ↗
- →Nuclei template match: look for JSON response body containing both '"name":' and '"status":"success' on the add_custom_font upload endpoint to confirm successful exploitation.
- ·The exploit targets Tatsu WordPress plugin versions <= 3.3.11 only; version 3.3.12 patches the vulnerability. Ensure version fingerprinting is part of detection triage. ↗
- ·The shell file is auto-deleted after execution by default (unlink(__FILE__)), so filesystem forensics may not find the shell; focus on web server access logs and network traffic instead. ↗
- ·The race condition window is narrow — the shell exists only briefly on the filesystem. Detection must account for transient file creation events and rapid access patterns rather than persistent file presence. ↗
- ·The htaccess technique requires AllowOverride All in the Apache configuration to work; this variant may not be applicable on hardened servers. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-grmv-gp4f-w59q: The Tatsu WordPress plugin before 3
ghsa_unreviewed·2022-04-26
CVE-2021-25094 [HIGH] CWE-306 GHSA-grmv-gp4f-w59q: The Tatsu WordPress plugin before 3
The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.
VulnCheck
brandexponents tatsu Missing Authentication for Critical Function
vulncheck·2021·CVSS 8.1
CVE-2021-25094 [HIGH] brandexponents tatsu Missing Authentication for Critical Function
brandexponents tatsu Missing Authentication for Critical Function
The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.
Affected: brandexponents tatsu
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vu
No detection rules found.
Exploit-DB
Tatsu 3.3.11 - Unauthenticated RCE
exploitdb·2025-04-18·CVSS 8.1
CVE-2021-25094 [HIGH] Tatsu 3.3.11 - Unauthenticated RCE
Tatsu 3.3.11 - Unauthenticated RCE
---
# Exploit Title:Tatsu 3.3.11 - Unauthenticated RCE
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: [email protected]
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# MiRROR-H: https://mirror-h.org/search/hacker/49626/
# Product: Tatsu wordpress plugin <= 3.3.11
# CVE: CVE-2021-25094
# URL: https://tatsubuilder.com/
import sys
import requests
import argparse
import urllib3
import threading
import time
import base64
import queue
import io
import os
import zipfile
import string
import random
from datetime import datetime
urllib3.disable_warnings()
class HTTPCaller():
def __init__(self, url, headers, proxies, cmd):
self.url = url
self.headers = headers
self.proxies = proxies
self.cmd = cmd
self.encodedCmd = base
Nuclei
Wordpress Tatsubuilder <= 3.3.11 - Remote Code Execution
nuclei·CVSS 8.1
CVE-2021-25094 [HIGH] Wordpress Tatsubuilder <= 3.3.11 - Remote Code Execution
Wordpress Tatsubuilder ')}}
--a8bfdd88f26f754c25496d0dd4962d38--
matchers:
- type: word
part: body
words:
- '"name":"{{to_lower(filename)}}"'
- '"status":"success'
condition: and
internal: true
- raw:
- |
GET /wp-content/uploads/typehub/custom/{{to_lower(filename)}}/.{{filename}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- '{{marker}}'
# digest: 4a0a004730450220373a461dd0e62167751e75b4f8e27cf1f7bd71f0997c65afc8185f5d4dc86e8c022100bc505e2fc0a1fea55d39c9f6c9f37a2ada31bab5359c1f6a933279900db98dcc:922c64590222798bb761d5b6d8e72950
Metasploit
Tatsu Wordpress Plugin RCE
metasploit·CVSS 8.1
CVE-2021-25094 [HIGH] Tatsu Wordpress Plugin RCE
Tatsu Wordpress Plugin RCE
This module adds exploit for CVE-2021-25094 - unauthenticated remote code execution in Tatsu Wordpress plugin <= 3.3.11. Module uploads malicious zip with PHP payload that gets executed in second part of exploit.
http://packetstormsecurity.com/files/167190/WordPress-Tatsu-Builder-Remote-Code-Execution.htmlhttps://darkpills.com/wordpress-tatsu-builder-preauth-rce-cve-2021-25094/https://wpscan.com/vulnerability/fb0097a0-5d7b-4e5b-97de-aacafa8fffcdhttp://packetstormsecurity.com/files/167190/WordPress-Tatsu-Builder-Remote-Code-Execution.htmlhttps://darkpills.com/wordpress-tatsu-builder-preauth-rce-cve-2021-25094/https://packetstorm.news/files/id/190566/https://wpscan.com/vulnerability/fb0097a0-5d7b-4e5b-97de-aacafa8fffcdhttps://www.exploit-db.com/exploits/52260
2022-04-25
Published
Exploited in the wild