CVE-2021-25094 is a vulnerability found in the Tatsu WordPress plugin versions prior to 3.3.12. The flaw arises from a missing authentication check on the 'add_custom_font' action, allowing unauthenticated attackers to upload arbitrary ZIP files to the WordPress upload directory. The plugin attempts to restrict uploaded files by extension, but this control can be bypassed by naming a PHP shell file with a leading dot ('.'), which evades the extension filtering mechanism. Additionally, a race condition exists during the ZIP extraction process, which temporarily leaves the malicious PHP shell accessible on the filesystem long enough for an attacker to execute it. This combination enables remote code execution (RCE) on the affected WordPress site without requiring any prior authentication or user interaction. The vulnerability is categorized under CWE-306 (Missing Authentication for Critical Function), indicating that critical functionality is exposed without proper access controls. Although no known exploits have been reported in the wild, the technical details suggest a high risk of exploitation due to the ease of uploading and executing arbitrary code remotely. The vulnerability affects Tatsu plugin versions before 3.3.12, which is a popular WordPress page builder plugin used to customize website appearance and functionality.

For European organizations, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their WordPress-based websites and potentially their broader IT infrastructure. Successful exploitation allows attackers to execute arbitrary PHP code remotely, which can lead to full site compromise, data theft, defacement, or use of the compromised server as a pivot point for further attacks within the network. Organizations relying on WordPress sites for customer interaction, e-commerce, or internal portals may suffer reputational damage, financial loss, and regulatory penalties, especially under GDPR if personal data is exposed. The lack of authentication requirement lowers the attack barrier, increasing the likelihood of automated exploitation attempts. Given the widespread use of WordPress in Europe and the popularity of the Tatsu plugin among web developers and agencies, many organizations could be affected. The race condition and bypass of extension controls exacerbate the threat by enabling stealthy deployment of web shells that can persist undetected. This vulnerability is particularly critical for sectors with high-value targets such as finance, healthcare, government, and media in Europe, where website integrity and data protection are paramount.

1. Immediate upgrade: Organizations should promptly update the Tatsu plugin to version 3.3.12 or later, where this vulnerability is fixed. 2. Access control: Restrict access to the WordPress admin and upload directories using web server configurations (e.g., .htaccess rules) to limit unauthorized file uploads and execution. 3. File upload monitoring: Implement file integrity monitoring and scanning for suspicious files, especially those with unusual naming patterns such as leading dots or hidden extensions. 4. Disable ZIP extraction if not required or replace with safer extraction libraries that do not suffer from race conditions. 5. Harden PHP execution: Configure the web server to prevent execution of PHP files in upload directories (e.g., disable PHP execution in wp-content/uploads). 6. Web application firewall (WAF): Deploy a WAF with rules to detect and block attempts to exploit this vulnerability, including unauthorized POST requests to the 'add_custom_font' action. 7. Regular security audits: Conduct periodic vulnerability assessments and penetration testing focused on WordPress plugins and custom functionalities. 8. Incident response readiness: Prepare to detect and respond to web shell deployments by monitoring web logs and unusual outbound connections.