Privacy Ninja

Hackers Target Tatsu WordPress Plugin in millions of Attacks

Hackers Target Tatsu WordPress Plugin in millions of Attacks

Hackers are massively exploiting a remote code execution vulnerability, CVE-2021-25094, in the Tatsu Builder plugin for WordPress, which is installed on about 100,000 websites.

Up to 50,000 websites are estimated to still run a vulnerable version of the plugin, although a patch has been available since early April.

Large attack waves started on May 10, 2022 and peaked four days later. Exploitation is currently ongoing.

Also Read: 4 Things to Know When Installing CCTVs Legally

Tatsu Builder is a popular plugin that offers powerful template editing features integrated right into the web browser.

The targeted vulnerability is CVE-2021-25094, allows a remote attacker to execute arbitrary code on the servers with an outdated version of the plugin (all builds before 3.3.12).

The flaw was discovered by independent researcher Vincent Michel, who disclosed it publicly on March 28, 2022, along with proof of concept (PoC) exploit code.

The vendor released a patch in version 3.3.13 and alerted users via email on April 7, 2022, urging them to apply the update.

Number of sites under attack
Number of sites under attack (Wordfence)

Wordfence, a company offering a security solution for WordPress plugins, has been monitoring the current attacks. The researchers estimate that there are between 20,000 and 50,000 websites that run a vulnerable version of Tatsu Builder.

Attack details

Wordfence reports seeing millions of attacks against its customers, blocking a whopping 5.9 million attempts on May 14, 2022.

Attacks detected and blocked by Wordfence
Attacks detected and blocked by Wordfence

The volume has declined in the following days, but exploitation efforts continue at high levels.

Also Read: 5 Most Frequently Asked Questions About Ransomware

The threat actors attempt to inject a malware dropper into a subfolder of the “wp-content/uploads/typehub/custom/” directory and make it a hidden file. 

Extension's file check function skipping hidden files

Extension’s file check function skipping hidden files (darkpills)

The dropper is named “.sp3ctra_XO.php” and has an MD5 hash of 3708363c5b7bf582f8477b1c82c8cbf8.

Wordfence reports that more than a million attacks came from just three IP addresses: 148.251.183[.]254, 176.9.117[.]218, and 217.160.145[.]62. Website administrators are advised to add these IPs to their blocklist.

Of course, these indicators of compromise aren’t stable and the attacker could switch to different ones, especially now that they have been publicly exposed.

All users of the Tatsu Builder plugin are strongly recommended to upgrade to version 3.3.13 to avoid attack risks.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us