Tatsu < 3.3.12 - Unauthenticated RCE
Description
The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/Tatsudescription
Patches
Vulnerability mechanics
Root cause
"Missing authentication on the add_custom_font AJAX action and insufficient validation of extracted files allow an unauthenticated attacker to upload a PHP shell."
Attack vector
An unauthenticated attacker sends a POST request to `/wp-admin/admin-ajax.php` with `action=add_custom_font` and a crafted zip file [ref_id=1]. The zip contains a PHP shell whose filename starts with a dot (e.g. `.shell.php`), which bypasses the plugin's extension check because WordPress's `list_files()` function skips hidden files [ref_id=1]. The zip is extracted under `/wp-content/uploads/typehub/custom/tatsu/`, making the shell accessible via HTTP [ref_id=1]. A race condition during extraction (CWE-362) also allows the shell to be called before cleanup, but the hidden-file bypass eliminates the need for a race entirely [ref_id=1].
Affected code
The vulnerable code is in the `add_custom_font` AJAX action handler, which calls `unzip_file()` to extract uploaded zip archives into the `typehub_font_dir` directory [ref_id=1]. The extension validation relies on WordPress's `list_files()` function, which skips files whose names start with a dot (`.`), allowing hidden PHP shells to pass through [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in Tatsu version 3.3.12 [ref_id=2]. No patch diff is provided in the bundle, but the researcher notes that the root issues are: (1) the `add_custom_font` action lacks authentication checks, (2) the extension validation uses `list_files()` which skips dot-prefixed files, and (3) the zip extraction and cleanup have a race window [ref_id=1]. A proper fix would require authenticating the AJAX action, validating all extracted files (including hidden ones), and ensuring files are not accessible during extraction.
Preconditions
- configThe Tatsu plugin version must be prior to 3.3.12
- configWordPress upload directory must be web-accessible
- authNo authentication required — the add_custom_font action is publicly accessible
- networkAttacker must be able to send HTTP POST requests to the target server
- inputAttacker uploads a zip file containing a PHP shell with a dot-prefixed filename
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- packetstormsecurity.com/files/167190/WordPress-Tatsu-Builder-Remote-Code-Execution.htmlmitrex_refsource_MISC
- darkpills.com/wordpress-tatsu-builder-preauth-rce-cve-2021-25094/mitrex_refsource_MISC
- wpscan.com/vulnerability/fb0097a0-5d7b-4e5b-97de-aacafa8fffcdmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.