WordPress Bricks Builder, a popular site building plugin and WordPress theme, is being actively targeted by hackers due to a critical vulnerability that allows unauthenticated attackers to perform remote code execution (RCE).
The Bricks plugin vulnerability, tracked as CVE-2024-25600, “means that anybody can run arbitrary commands and take over the site/server,” according to WordPress development and security company Snicco, which discovered the bug. CVE-2024-25600 has a critical CVSS score of 9.8.
Snicco reported the vulnerability to the Bricks developers on Feb. 10, and a patch was released on Feb. 13. Technical details about the bug were first disclosed Sunday; on the same day, active exploitation of the flaw was reported by WordPress vulnerability protection company Patchstack.
Attackers targeting CVE-2024-25600 have been spotted using malware designed to disable WordPress security plugins, according to Patchstack.
Bricks Builder version 1.9.6 and all earlier versions are vulnerable to unauthenticated RCE. Bricks users must update to versions 1.9.6.1 for protection against attack.
The Bricks developers also noted that users should update any site backups to the 1.9.6.1 version, as restoring from an outdated backup could reintroduce the vulnerability.
Two major flaws in Bricks Builder were uncovered by Snicco – one that allowed for arbitrary code execution and another that allowed any unauthenticated user to call a Brick REST API endpoint.
The plugin uses the PHP eval function to execute the variable $php_query_raw, the contents of which can be injected by an attacker via a crafted request to the Brick REST API.
The PHP eval function is incredibly risky due to its ability to execute arbitrary PHP code and its use is generally discouraged, as noted by both Snicco and the PHP group itself.
“This function is extremely dangerous, to be honest, and should never be used,” Snicco security researcher Calvin Alkan wrote.
Additionally, in a proof-of-concept for CVE-2024-25600 exploitation, Alkan noted that calls to the Bricks REST API could be made without proper permission checks because the render_element_permission_check function only checked for a valid “number used once” (nonce) token to authorize the request.
A valid nonce can easily be retrieved from the HTML on the front end of any Bricks WordPress site, the Snicco researchers noted. WordPress’ developer resources site notes that nonces “should never be relied on for authentication, authorization, or access control.”
Snicco demonstrated successful exploitation of the Bricks Builder bug to replace every page on a WordPress site with a GIF of the Kool-Aid mascot breaking through a brick wall.
CVE-2024-25600 has been actively exploited since at least Feb. 14, as detected by Patchstack.
Patchstack researchers observed the use of malware post-exploitation that includes a feature to disable WordPress security plugins like Wordfence and Sucuri.
Most attacks against the Bricks vulnerability come from seven IP addresses identified by Patchstack in their advisory. Several of these IP addresses have been reported as targeting WordPress sites through various methods as early as April 2023, according to information available from AbuseIPDB.
Wordfence’s Vulnerability Database page for CVE-2024-25600 notes 36 attacks targeting the vulnerability were blocked within 24 hours, as of Feb. 19.
The Bricks plugin was estimated to have about 25,000 active installations when the vulnerability was disclosed.
Another WordPress plugin vulnerability came under mass attack earlier this year when the Popup Builder plugin was targeted by the Balada Injector campaign. More than 6,700 WordPress sites using Popup Builder were infected due to a cross-site scripting flaw tracked as CVE-2023-6000.
Last October, Balada Injector struck 17,000 WordPress sites, including 9,000 affected by a bug (CVE-2023-3169) in the page building plugin TagDiv Composer.
It is unknown whether Balada Injector, which has infected at least a million WordPress sites since 2017, is involved in exploitation of CVE-2024-25600.
Sponsored by Imperva
API calls now account for the majority (71%) of web traffic.
SC Staff
Increasingly prevalent physical security threats against businesses have prompted cybersecurity solutions provider ZeroFox to introduce the new PSI Mobile App that would provide corporate security professionals necessary intelligence to improve physical security incident response, SiliconAngle reports.
Shaun Nichols
Salt Security report found lack of API inventory left companies exposed.
On-Demand Event
On-Demand Event
By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.
Copyright © 2024 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.