### [CVE-2021-25094](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25094)
![](https://img.shields.io/static/v1?label=Product&message=Tatsu&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=3.3.12%3C%203.3.12%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-306%20Missing%20Authentication%20for%20Critical%20Function&color=brighgreen)

### Description

The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.

### POC

#### Reference
- http://packetstormsecurity.com/files/167190/WordPress-Tatsu-Builder-Remote-Code-Execution.html
- https://wpscan.com/vulnerability/fb0097a0-5d7b-4e5b-97de-aacafa8fffcd

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/InMyMine7/SharkXploit
- https://github.com/MadExploits/TYPEHUB
- https://github.com/NaInSec/CVE-PoC-in-GitHub
- https://github.com/SYRTI/POC_to_review
- https://github.com/Shamsuzzaman321/Wordpress-Exploit-AiO-Package
- https://github.com/TUANB4DUT/typehub-exploiter
- https://github.com/WhooAmii/POC_to_review
- https://github.com/darkpills/CVE-2021-25094-tatsu-preauth-rce
- https://github.com/experimentalcrow1/TypeHub-Exploiter
- https://github.com/k0mi-tg/CVE-POC
- https://github.com/manas3c/CVE-POC
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/trhacknon/Pocingit
- https://github.com/whoforget/CVE-POC
- https://github.com/xdx57/CVE-2021-25094
- https://github.com/youwizard/CVE-POC
- https://github.com/zecool/cve