This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Unauthenticated Remote Code Execution (RCE) via unrestricted file upload. π **Consequences**: Attackers upload malicious ZIP files (fonts) to execute arbitrary OS commands on the server.β¦
π‘οΈ **CWE**: CWE-306 (Missing Authentication for Critical Function). π **Flaw**: The `add_custom_font` API endpoint allows uploading unverified ZIP files without prior authentication.β¦
π¦ **Product**: WordPress Plugin **Tatsu Builder**. π **Affected**: Versions **<= 3.3.11**. π **Scope**: WordPress sites using this specific page builder plugin.
Q4What can hackers do? (Privileges/Data)
π **Privileges**: Unauthenticated access (No login needed). π» **Action**: Execute arbitrary OS commands (RCE). π **Data**: Read/Write server files, install backdoors, pivot to internal networks.
Q5Is exploitation threshold high? (Auth/Config)
β‘ **Threshold**: **LOW**. π« **Auth**: None required. π **Config**: Only requires the plugin to be installed and active. π― **Ease**: Automated scripts available for instant exploitation.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π₯ **Exploit**: **YES**. π **PoCs**: Multiple public exploits on GitHub (e.g., `CVE-2021-25094-tatsu-preauth-rce`). π‘ **Wild**: Active exploitation detected; 100,000+ sites at risk.
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for `wp-admin/admin-ajax.php` with `action=add_custom_font`. π **Tools**: Use Nuclei templates (`CVE-2021-25094.yaml`). π΅οΈ **Verify**: Check if plugin version is <= 3.3.11.
Q8Is it fixed officially? (Patch/Mitigation)
π‘οΈ **Fix**: **YES**. π₯ **Patch**: Update Tatsu Builder to version **3.3.12** or later. β **Status**: Official vendor release addresses the authentication gap.
Q9What if no patch? (Workaround)
π§ **Workaround**: Disable the plugin if not in use. π« **Block**: Restrict access to `admin-ajax.php` via WAF rules. π **Limit**: Prevent unauthenticated POST requests to font upload endpoints.