cbcvebase.
CVE-2021-25094
published 2022-04-25

CVE-2021-25094: The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under…

PriorityP186high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
83.53%
99.6th percentile
The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.

Affected

1 ranges
VendorProductVersion rangeFixed in
brandexponentstatsu< 3.3.123.3.12

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/uploads/typehub/custom/
url/wp-content/uploads/typehub/custom/{{to_lower(filename)}}/.{{filename}}.php
commandaction=add_custom_font
filename.*.php (dot-prefixed random PHP shell filename)
filename.htaccess (with AddType application/x-httpd-php .png)
filename.*.png (dot-prefixed random PNG shell filename used with htaccess technique)
otherHTTP header: X-Requested-With: XMLHttpRequest
  • Detect unauthenticated POST requests to /wp-admin/admin-ajax.php with action=add_custom_font containing a multipart ZIP file upload — no authentication cookies or nonce required.
  • Alert on creation or access of dot-prefixed PHP files (e.g., /.*.php or /.*.png) under /wp-content/uploads/typehub/custom/ — the leading dot is used to bypass the plugin's extension control.
  • Monitor for rapid sequential HTTP requests: a POST to admin-ajax.php (upload) immediately followed by a GET/POST to /wp-content/uploads/typehub/custom/<name>/.<shell>.php — indicative of race-condition exploitation.
  • Detect POST requests to dot-prefixed PHP/PNG files under /wp-content/uploads/typehub/custom/ with a 'text' POST parameter containing base64-encoded data — this is the shell execution step.
  • Flag creation of .htaccess files containing 'AddType application/x-httpd-php .png' under the uploads/typehub/custom/ directory — used by the htaccess technique to execute PNG files as PHP.
  • Nuclei template match: look for JSON response body containing both '"name":' and '"status":"success' on the add_custom_font upload endpoint to confirm successful exploitation.
  • ·The exploit targets Tatsu WordPress plugin versions <= 3.3.11 only; version 3.3.12 patches the vulnerability. Ensure version fingerprinting is part of detection triage.
  • ·The shell file is auto-deleted after execution by default (unlink(__FILE__)), so filesystem forensics may not find the shell; focus on web server access logs and network traffic instead.
  • ·The race condition window is narrow — the shell exists only briefly on the filesystem. Detection must account for transient file creation events and rapid access patterns rather than persistent file presence.
  • ·The htaccess technique requires AllowOverride All in the Apache configuration to work; this variant may not be applicable on hardened servers.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.