CVE-2021-25094 Overview
CVE-2021-25094 is an unauthenticated remote code execution vulnerability affecting the Tatsu Builder WordPress plugin. The vulnerability exists in the add_custom_font action, which can be exploited without authentication to upload a malicious zip file that gets extracted to the WordPress uploads directory. By crafting a PHP shell with a filename starting with a dot (.), attackers can bypass the plugin's extension control mechanism. Additionally, a race condition in the zip extraction process allows the shell file to persist long enough on the filesystem to be executed by an attacker.
Critical Impact
Unauthenticated attackers can achieve remote code execution on vulnerable WordPress installations by exploiting the font upload functionality combined with a race condition, potentially leading to complete site compromise.
Affected Products
- Brandexponents Tatsu (versions prior to 3.3.12)
- WordPress installations running vulnerable Tatsu Builder plugin
Discovery Timeline
- 2022-04-25 - CVE-2021-25094 published to NVD
- 2025-04-21 - Last updated in NVD database
Technical Details for CVE-2021-25094
Vulnerability Analysis
This vulnerability combines multiple security weaknesses to achieve unauthenticated remote code execution. The Tatsu Builder plugin implements a custom font upload feature through the add_custom_font AJAX action. The critical flaw is that this endpoint lacks proper authentication checks, allowing any unauthenticated user to invoke the functionality.
The plugin attempts to implement file extension validation to prevent malicious uploads, but this security control can be bypassed by prepending filenames with a dot character. Files beginning with a dot are treated differently by the validation logic, allowing PHP files to slip through the filter when named like .shell.php.
The exploitation is made possible by a Time-of-Check Time-of-Use (TOCTOU) race condition during the zip extraction process. While the plugin eventually attempts to clean up unauthorized files, there exists a window of time between extraction and cleanup where the malicious PHP file is accessible and executable. Attackers can exploit this race condition by repeatedly requesting the malicious file during extraction, achieving code execution before the cleanup routine removes it.
Root Cause
The root cause is a combination of Missing Authentication for Critical Function (CWE-306) and improper input validation. The add_custom_font action processes zip file uploads without verifying user authentication, and the extension validation logic fails to properly handle hidden files (those starting with a dot character). The asynchronous nature of the zip extraction creates a race condition that can be exploited to execute arbitrary code.
Attack Vector
The attack is network-based and requires no prior authentication or user interaction. An attacker crafts a malicious zip archive containing a PHP webshell with a dot-prefixed filename (e.g., .malicious.php). The attacker then sends a POST request to the vulnerable add_custom_font endpoint with the crafted zip file. While the file is being extracted, the attacker races to access the PHP shell before cleanup occurs. Upon successful exploitation, the attacker gains the ability to execute arbitrary PHP code with the privileges of the web server user.
Technical analysis and proof-of-concept details are available in the Dark Pills CVE-2021-25094 Analysis and the Packet Storm RCE Exploit.
Detection Methods for CVE-2021-25094
Indicators of Compromise
- Unexpected PHP files in the WordPress uploads directory, particularly those with dot-prefixed filenames (e.g., .shell.php)
- Suspicious POST requests to /wp-admin/admin-ajax.php with action=add_custom_font
- Anomalous zip file uploads containing PHP files within font-related directories
- Web server logs showing rapid repeated requests to files in the uploads directory immediately following font upload requests
Detection Strategies
- Monitor web server access logs for unauthenticated requests to admin-ajax.php with the add_custom_font action parameter
- Implement file integrity monitoring on the WordPress uploads directory to detect newly created PHP files
- Deploy web application firewall (WAF) rules to block zip uploads containing PHP files to the font upload endpoint
- Use WordPress security plugins to scan for hidden PHP files (dot-prefixed) in the uploads directory
Monitoring Recommendations
- Configure alerts for any PHP file creation in the wp-content/uploads directory tree
- Monitor for outbound connections from the web server that may indicate reverse shell activity
- Review web server error logs for failed attempts to access non-existent PHP files in uploads (may indicate exploitation attempts)
- Implement runtime application self-protection (RASP) to detect and block shell execution attempts
How to Mitigate CVE-2021-25094
Immediate Actions Required
- Update the Tatsu Builder plugin to version 3.3.12 or later immediately
- If immediate patching is not possible, disable the Tatsu Builder plugin until it can be updated
- Scan the WordPress uploads directory for any suspicious PHP files, especially those with dot-prefixed names
- Review web server logs for evidence of exploitation attempts targeting the add_custom_font endpoint
Patch Information
The vulnerability has been addressed in Tatsu Builder version 3.3.12. Site administrators should update to this version or later through the WordPress plugin management interface. For detailed vulnerability information, refer to the WPScan Vulnerability Report. Additional technical details and exploit information can be found at Exploit-DB #52260.
Workarounds
- Restrict access to admin-ajax.php for unauthenticated users if the site functionality permits
- Implement server-level rules to block zip file uploads to the font upload endpoint
- Use a web application firewall (WAF) to filter requests containing the add_custom_font action from unauthenticated sources
- Configure the web server to deny execution of PHP files in the uploads directory using .htaccess or server configuration
# Apache .htaccess configuration to prevent PHP execution in uploads
# Place in wp-content/uploads/.htaccess
<FilesMatch "\.php$">
Order Allow,Deny
Deny from all
</FilesMatch>
# For Nginx, add to server block
location ~* /wp-content/uploads/.*\.php$ {
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
