[ad_1]
Tens of thousands of WordPress websites are potentially at risk of compromise as part of an ongoing large-scale attack targeting a remote code execution vulnerability in the Tatsu Builder plugin.
Tracked as CVE-2021-25094 (CVSS score of 8.1), the vulnerability exists because one of the supported actions does not require authentication when uploading a zip file that is extracted under the WordPress upload directory.
While the plugin includes an extension control, this can be bypassed by adding a PHP shell with a filename that begins with a dot (“.”). Furthermore, a race condition in the…
More Info
