WordPress Bricks Builder, a popular site building plugin and WordPress theme, is being actively targeted by hackers due to a critical vulnerability that allows unauthenticated attackers to perform remote code execution (RCE).
The Bricks plugin vulnerability, tracked as CVE-2024-25600, “means that anybody can run arbitrary commands and take over the site/server,” according to WordPress development and security company Snicco, which discovered the bug. CVE-2024-25600 has a critical CVSS score of 9.8.
Snicco reported the vulnerability to the Bricks developers on Feb. 10, and a patch was released on Feb. 13. Technical details about the bug were first disclosed Sunday; on the same day, active exploitation of the flaw was reported by WordPress vulnerability protection company Patchstack.
Attackers targeting CVE-2024-25600 have been spotted using malware designed to disable WordPress security plugins, according to Patchstack.
Bricks Builder version 1.9.6 and all earlier versions are vulnerable to unauthenticated RCE. Bricks users must update to versions 1.9.6.1 for protection against attack.
The Bricks developers also noted that users should update any site backups to the 1.9.6.1 version, as restoring from an outdated backup could reintroduce the vulnerability.
WordPress Bricks plugin used insecure authorization method, PHP function
Two major flaws in Bricks Builder were uncovered by Snicco – one that allowed for arbitrary code execution and another that allowed any unauthenticated user to call a Brick REST API endpoint.
The plugin uses the PHP eval function to execute the variable $php_query_raw, the contents of which can be injected by an attacker via a crafted request to the Brick REST API.
The PHP eval function is incredibly risky due to its ability to execute arbitrary PHP code and its use is generally discouraged, as noted by both Snicco and the PHP group itself.
“This function is extremely dangerous, to be honest, and should never be used,” Snicco security researcher Calvin Alkan wrote.
Additionally, in a proof-of-concept for CVE-2024-25600 exploitation, Alkan noted that calls to the Bricks REST API could be made without proper permission checks because the render_element_permission_check function only checked for a valid “number used once” (nonce) token to authorize the request.
A valid nonce can easily be retrieved from the HTML on the front end of any Bricks WordPress site, the Snicco researchers noted. WordPress’ developer resources site notes that nonces “should never be relied on for authentication, authorization, or access control.”
Snicco demonstrated successful exploitation of the Bricks Builder bug to replace every page on a WordPress site with a GIF of the Kool-Aid mascot breaking through a brick wall.
WordPress Bricks vulnerability used to inject security-killing malware
CVE-2024-25600 has been actively exploited since at least Feb. 14, as detected by Patchstack.
Patchstack researchers observed the use of malware post-exploitation that includes a feature to disable WordPress security plugins like Wordfence and Sucuri.
Most attacks against the Bricks vulnerability come from seven IP addresses identified by Patchstack in their advisory. Several of these IP addresses have been reported as targeting WordPress sites through various methods as early as April 2023, according to information available from AbuseIPDB.
Wordfence’s Vulnerability Database page for CVE-2024-25600 notes 36 attacks targeting the vulnerability were blocked within 24 hours, as of Feb. 19.
The Bricks plugin was estimated to have about 25,000 active installations when the vulnerability was disclosed.
Another WordPress plugin vulnerability came under mass attack earlier this year when the Popup Builder plugin was targeted by the Balada Injector campaign. More than 6,700 WordPress sites using Popup Builder were infected due to a cross-site scripting flaw tracked as CVE-2023-6000.
Last October, Balada Injector struck 17,000 WordPress sites, including 9,000 affected by a bug (CVE-2023-3169) in the page building plugin TagDiv Composer.
It is unknown whether Balada Injector, which has infected at least a million WordPress sites since 2017, is involved in exploitation of CVE-2024-25600.
