CVE-2021-25094

Name of the Vulnerable Software and Affected Versions Tatsu WordPress plugin versions prior to 3.3.12

Description The issue is related to the add custom font action in the Tatsu WordPress plugin, which can be used without prior authentication to upload a rogue zip file. This file is uncompressed under the WordPress upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process, making the shell file live long enough on the filesystem to be callable by an attacker. The vulnerability has been exploited in real-world attacks, with over 5.9 million attempts blocked between May 10 and 14. It is estimated that almost 100,000 sites are using the vulnerable plugin, and despite the availability of a fix since April, around 50,000 sites still use the vulnerable version.

Recommendations For Tatsu WordPress plugin versions prior to 3.3.12, update to version 3.3.13 or later to resolve the issue. As a temporary workaround, consider disabling the add custom font action until a patch is available. Restrict access to the upload directory to minimize the risk of exploitation. Avoid using the add custom font action in the affected plugin until the issue is resolved.