Millions of attacks exploiting Tatsu WordPress plugin

Threat actors have been launching millions of attacks exploiting a remote code execution flaw in the Tatsu Builder plugin for WordPress, with up to half of the nearly 100,000 websites leveraging the plugin still at risk of attacks, according to BleepingComputer. Wordfence researchers discovered that attackers have deployed significant attack waves abusing the flaw, tracked as CVE-2021-25094, beginning last Tuesday, with a peak of 5.9 million attempts averted on May 14. Despite the subsequent decline in attack volumes, elevated exploitation efforts remain, with malicious actors observed to deploy a malware dropper named ".sp3ctra_XO.php" that is then concealed within the "wp-content/uploads/typehub/custom/" directory's subfolder. Moreover, three IP addresses 148.251.183[.]254, 176.9.117[.]218, and 217.160.145[.]62 accounted for over a million of the discovered attacks, the report revealed. Wordfence has called on website administrators to include the IPs in their blocklist, while ensuring that their Tatsu Builder plugin is updated to version 3.3.13.