A critical security vulnerability in the WordPress Bricks theme is being actively exploited by threat actors to execute arbitrary PHP code on vulnerable installations.
This vulnerability, tracked as CVE-2024-25600 (CVSS score: 9.8), allows an unauthenticated attacker to remotely execute code. It affects all versions of Bricks (including 1.9.6).
The theme developers have fixed the issue in version 1.9.6.1, released on February 13, 2024, just days after WordPress security provider Snicco reported the vulnerability on February 10.
While a proof-of-concept (PoC) vulnerability has not yet been released, both Snicco and Patchstack have released technical details and pointed out that potentially vulnerable code exists in the prepare_query_vars_from_settings() function.
Specifically, it involves using a security token called a “nonce” to verify permissions, which can then be used to pass arbitrary commands for execution, effectively allowing threat actors to seize control of a target website.
Patchstack said the random values were publicly available on the front-end of the WordPress site, adding that insufficient role checks were applied.
“You should never rely on nonce numbers for authentication, authorization, or access control,” WordPress warns in its documentation. “Use current_user_can() to protect your functions, and always assume that nonce numbers can be compromised.”
WordPress security company Wordfence said that as of February 19, 2024, it had detected more than three dozen attack attempts to exploit the vulnerability. Attempts to exploit the vulnerability allegedly began on February 14, the day after the public disclosure.
Most attacks come from the following IP addresses –
- 200.251.23[.]57
- 92.118.170[.]216
- 103.187.5[.]128
- 149.202.55[.]79
- 5.252.118[.]211
- 91.108.240[.]52
It is estimated that Bricks currently has around 25,000 active installations. Users of this plugin are advised to apply the latest patches to mitigate potential threats.
