CVE-2021-25094

25.04.2022, 16:16

The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.1 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
WPScan	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Vendor	Product	Version
brandexponents	tatsu	𝑥 < 3.3.12

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-306 - Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References

http://packetstormsecurity.com/files/167190/WordPress-Tatsu-Builder-Remote-Code-Execution.html

https://darkpills.com/wordpress-tatsu-builder-preauth-rce-cve-2021-25094/

https://wpscan.com/vulnerability/fb0097a0-5d7b-4e5b-97de-aacafa8fffcd

http://packetstormsecurity.com/files/167190/WordPress-Tatsu-Builder-Remote-Code-Execution.html

https://darkpills.com/wordpress-tatsu-builder-preauth-rce-cve-2021-25094/

https://packetstorm.news/files/id/190566/

https://wpscan.com/vulnerability/fb0097a0-5d7b-4e5b-97de-aacafa8fffcd

https://www.exploit-db.com/exploits/52260