What is CVE-2021-25094?

CVE-2021-25094 is a vulnerability in Tatsu, classified under Missing Authentication for Critical Function. Published 2022-04-25.

Is CVE-2021-25094 known to be exploited?

21 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Auth bypass in Tatsu

CVE-2021-25094

The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename startin…

Vulnerability class: Broken Authentication

EPSS: 0.910 (99.7th percentile) — read the EPSS interpretation.

Affected products

Unknown Tatsu — versions 3.3.12

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

Public proof-of-concept exploits

References

wpscan.com/vulnerability/fb0097a0-5d7b-4e5b-97de-aacafa8fffcd (x_refsource_MISC)
darkpills.com/wordpress-tatsu-builder-preauth-rce-cve-2021-25094/ (x_refsource_MISC)
packetstormsecurity.com/files/167190/WordPress-Tatsu-Builder-Remote-Code-Execut… (x_refsource_MISC)

Frequently asked questions

What is CVE-2021-25094?: CVE-2021-25094 is a vulnerability in Tatsu, classified under Missing Authentication for Critical Function. Published 2022-04-25.
Is CVE-2021-25094 known to be exploited?: 21 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.