cve/2021/CVE-2021-25094.md

### [CVE-2021-25094](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25094)
![](https://img.shields.io/static/v1?label=Product&message=Tatsu&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=3.3.12%3C%203.3.12%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-306%20Missing%20Authentication%20for%20Critical%20Function&color=brighgreen)

### Description

The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.

### POC

#### Reference
- http://packetstormsecurity.com/files/167190/WordPress-Tatsu-Builder-Remote-Code-Execution.html
- https://wpscan.com/vulnerability/fb0097a0-5d7b-4e5b-97de-aacafa8fffcd

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/InMyMine7/SharkXploit
- https://github.com/MadExploits/TYPEHUB
- https://github.com/NaInSec/CVE-PoC-in-GitHub
- https://github.com/SYRTI/POC_to_review
- https://github.com/Shamsuzzaman321/Wordpress-Exploit-AiO-Package
- https://github.com/TUANB4DUT/typehub-exploiter
- https://github.com/WhooAmii/POC_to_review
- https://github.com/darkpills/CVE-2021-25094-tatsu-preauth-rce
- https://github.com/experimentalcrow1/TypeHub-Exploiter
- https://github.com/k0mi-tg/CVE-POC
- https://github.com/manas3c/CVE-POC
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/trhacknon/Pocingit
- https://github.com/whoforget/CVE-POC
- https://github.com/xdx57/CVE-2021-25094
- https://github.com/youwizard/CVE-POC
- https://github.com/zecool/cve
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2021-25094](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25094)`
			`![](https://img.shields.io/static/v1?label=Product&message=Tatsu&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=3.3.12%3C%203.3.12%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-306%20Missing%20Authentication%20for%20Critical%20Function&color=brighgreen)`

			`### Description`

			`The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.`

			`### POC`

			`#### Reference`
			`- http://packetstormsecurity.com/files/167190/WordPress-Tatsu-Builder-Remote-Code-Execution.html`
			`- https://wpscan.com/vulnerability/fb0097a0-5d7b-4e5b-97de-aacafa8fffcd`

			`#### Github`
			`- https://github.com/ARPSyndicate/cvemon`
			`- https://github.com/InMyMine7/SharkXploit`
			`- https://github.com/MadExploits/TYPEHUB`
			`- https://github.com/NaInSec/CVE-PoC-in-GitHub`
			`- https://github.com/SYRTI/POC_to_review`
			`- https://github.com/Shamsuzzaman321/Wordpress-Exploit-AiO-Package`
			`- https://github.com/TUANB4DUT/typehub-exploiter`
			`- https://github.com/WhooAmii/POC_to_review`
			`- https://github.com/darkpills/CVE-2021-25094-tatsu-preauth-rce`
			`- https://github.com/experimentalcrow1/TypeHub-Exploiter`
			`- https://github.com/k0mi-tg/CVE-POC`
			`- https://github.com/manas3c/CVE-POC`
			`- https://github.com/nomi-sec/PoC-in-GitHub`
			`- https://github.com/trhacknon/Pocingit`
			`- https://github.com/whoforget/CVE-POC`
			`- https://github.com/xdx57/CVE-2021-25094`
			`- https://github.com/youwizard/CVE-POC`
			`- https://github.com/zecool/cve`