A no-code page builder WordPress plug-in, Tatsu Builder, has a known remote code execution (RCE) flaw that’s under active attack, researchers report, exposing as many as 50,000 sites to takeover.
The Wordfence threat intelligence team is raising the alarm over what it calls a “widespread” attack attempting to exploit CVE-2021-25094, publicly disclosed on March 24. The vulnerability impacts both the premium and free versions of Tatsu Builder.
Because it’s not listed on WordPress.org, the team says it doesn’t know exactly how many installations the plug-in has, but they estimate it’s anywhere from 20,000 to 50,000 sites.
The Wordfence report says the WordPress plug-in attacks first popped up on May 10, and by May 14 threat actors had already launched 5.9 million attacks against 1.4 million sites running Tatsu Builder.
“When it comes to cybersecurity, most organizations give little thought to their websites,” Chris Olson, CEO of The Media Trust, said in a statement in reaction to the attacks. “The Tatsu vulnerability shows us why this is a mistake: websites — which play a key role in marketing and revenue generation — are increasingly targeted by hackers, making them a source of risk to customers and casual visitors.”