A widespread attack is underway to exploit known RCE flaw in Tatsu Builder WordPress plug-in, according to a new report.

Dark Reading Staff, Dark Reading

May 17, 2022

1 Min Read
Wrench on keyboard next to button with a bug to illustrate a computer bug
Source: Alexander Yakimov via Alamy

A no-code page builder WordPress plug-in, Tatsu Builder, has a known remote code execution (RCE) flaw that's under active attack, researchers report, exposing as many as 50,000 sites to takeover. 

The Wordfence threat intelligence team is raising the alarm over what it calls a "widespread" attack attempting to exploit CVE-2021-25094, publicly disclosed on March 24. The vulnerability impacts both the premium and free versions of Tatsu Builder. 

Because it's not listed on Wordpress.org, the team says it doesn't know exactly how many installations the plug-in has, but they estimate it's anywhere from 20,000 to 50,000 sites. 

The Wordfence report says the Wordpress plug-in attacks first popped up on May 10, and by May 14 threat actors had already launched 5.9 million attacks against 1.4 million sites running Tatsu Builder

“When it comes to cybersecurity, most organizations give little thought to their websites," Chris Olson, CEO of the Media Trust, said in a statement in reaction to the attacks. "The Tatsu vulnerability shows us why this is a mistake: websites — which play a key role in marketing and revenue generation — are increasingly targeted by hackers, making them a source of risk to customers and casual visitors." 


About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights