Do you own and manage a WordPress site either personally or as part of your business? Do you also use the Tatsu plugin which offers a powerful suite of in-browser editing features and has been installed by more than 100,000 users worldwide?
If so, be aware that there is a serious security flaw in the plugin, and you should update right away to minimize your risk.
The vulnerability in this case is being tracked as CVE-2021-25094 and allows a remote attacker to execute arbitrary code. The developers behind the plugin made a patch available that protects against the exploit, and that patch has been available since April (2022). Shockingly though, only about half of Tatsu’s users have updated their plugin, leaving more than fifty thousand websites around the world still vulnerable.
Finding out if you’re included in that number is easy. Simply check the version of Tatsu you’re running. If you’re running anything from before version 3.3.12, you are at risk and should update as soon as possible.
Independent security researcher Vincent Michel is credited with discovering the flaw, and he made his discovery public on March 28th 2022, releasing proof of concept exploit code along with his disclosure.
The plugin vendor was highly responsive and released a patch less than two weeks later on April 7th 2022. They urged all users to apply the update right away.
Unfortunately, that plea fell on as many deaf ears as responsive ones, which is how we got where we are today.
Wordfence has been tracking the number of times that hackers have made use of this exploit and has observed a large, widespread campaign in progress. The company reports that more than a million attacks have come from just three IP addresses (148.251.183; 254, 220.127.116.11; and 18.104.22.168).
Site administrators are urged to add these IP addresses to their blocklist in addition to updating. It is very good advice.