Threat actors have been launching millions of attacks exploiting a remote code execution flaw in the Tatsu Builder plugin for WordPress, with up to half of the nearly 100,000 websites leveraging the plugin still at risk of attacks, according to BleepingComputer.