CVE-2021-25094: Tatsu Wordpress Plugin RCE

Exploitation Summary

CVE-2021-25094 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 6 public exploits from researchers including Milad karimi, darkpills, experimentalcrow1, including a Metasploit module exploits/multi/http/wp_tatsu_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages an unauthenticated file upload vulnerability in the Tatsu WordPress plugin (CVE-2021-25094) to achieve remote code execution. It uploads a malicious ZIP archive containing a PHP shell via the 'add_custom_font' AJAX action, then triggers the shell to execute arbitrary commands.

Description

The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.

Exploits (6)

exploitdb WORKING POC

by Milad karimi · pythonwebappsphp

https://www.exploit-db.com/exploits/52260

View Code ZIP pw:eip

This exploit leverages an unauthenticated file upload vulnerability in the Tatsu WordPress plugin (CVE-2021-25094) to achieve remote code execution. It uploads a malicious ZIP archive containing a PHP shell via the 'add_custom_font' AJAX action, then triggers the shell to execute arbitrary commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Tatsu WordPress plugin <= 3.3.11

No auth needed

Prerequisites: Target must have the vulnerable Tatsu plugin installed · WordPress site must be accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 9 stars

by darkpills · remote

https://github.com/darkpills/CVE-2021-25094-tatsu-preauth-rce

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-25094, an unauthenticated RCE vulnerability in the Tatsu Builder WordPress plugin. The exploit leverages a race condition during file upload and extraction to achieve remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Racy

Target: Tatsu Builder WordPress plugin <= 3.3.11

No auth needed

Prerequisites: Access to the target WordPress site · Tatsu Builder plugin version <= 3.3.11

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by experimentalcrow1 · remote

https://github.com/experimentalcrow1/TypeHub-Exploiter

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-25094, a vulnerability in the TypeHub WordPress plugin that allows arbitrary file upload leading to remote code execution (RCE). The exploit uploads a malicious ZIP file containing a PHP shell to the target WordPress site via the plugin's admin-ajax.php endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: TypeHub WordPress plugin (version not specified)

Auth required

Prerequisites: Valid WordPress admin session or CSRF token · Access to the admin-ajax.php endpoint · Presence of the vulnerable TypeHub plugin

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by TUANB4DUT · poc

https://github.com/TUANB4DUT/typehub-exploiter

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-25094, a pre-authentication RCE vulnerability in the WordPress Tatsu Builder plugin. The exploit uploads a malicious ZIP file via the 'add_custom_font' action, leading to arbitrary file upload and remote code execution.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Tatsu Builder plugin

No auth needed

Prerequisites: Target must have the vulnerable Tatsu Builder plugin installed · Target must allow file uploads to the /wp-content/uploads/typehub/custom/ directory

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by xdx57 · poc

https://github.com/xdx57/CVE-2021-25094

View Code ZIP pw:eip

This repository contains a functional PHP exploit for CVE-2021-25094, which targets an unrestricted file upload vulnerability in the Tatsu Plugin for WordPress. The exploit automates the process of uploading a malicious ZIP file via the `add_custom_font` AJAX action, potentially leading to remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Tatsu Plugin for WordPress (versions affected by CVE-2021-25094)

No auth needed

Prerequisites: Target WordPress site with vulnerable Tatsu Plugin installed · Ability to send HTTP requests to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Vincent Michel, msutovsky-r7 · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_tatsu_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2021-25094, an unauthenticated RCE in the Tatsu WordPress plugin <= 3.3.11. It uploads a malicious ZIP containing a PHP payload via a file upload vulnerability and triggers execution by accessing the uploaded file.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Tatsu WordPress Plugin <= 3.3.11

No auth needed

Prerequisites: Target running vulnerable Tatsu plugin · Network access to WordPress admin-ajax.php

MITRE ATT&CK