Source: National Vulnerability Database

The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25094

249 hits since 2022-04-25

PHP Vulns Source Ratio: 14% (9386 total, 675 propagated, 4693 filtered)

Browse PHP Advisory