Open in app

Sign in

Write

Sign in

Unauthenticated Remote Code Execution (RCE) Vulnerability in Bricks Builder for WordPress (CVE-2024–25600)

The Cyber Tornado
4 min readFeb 22, 2024

--

Introduction:

In this blog post, we will discuss a recently discovered critical vulnerability in the Bricks Builder plugin for WordPress, which allows unauthenticated remote code execution (RCE). This vulnerability, identified as CVE-2024–25600, affects Bricks Builder versions <= 1.9.6. We will provide a detailed technical analysis of the vulnerability and its impact, as well as recommendations for mitigation.

Technical Analysis:

The vulnerability exists due to the inappropriate usage of PHP’s eval() function in the Bricks Builder plugin. The affected code can be found in the Bricks\Query class, specifically in the prepare_query_vars_from_settings method. In this method, a variable called $php_query_raw is passed to the eval() function, which allows an attacker to execute arbitrary PHP code on the target server.

Code sample :

public static function prepare_query_vars_from_settings( $settings = [], $fallback_element_id = '' )
{
    // CUT OUT FOR CLARITY
    
    $execute_user_code = function () use ( $php_query_raw ) {
        $user_result = null; // Initialize a variable to capture the result of user code
        
        // Capture user code output using output buffering
        ob_start();
        $user_result = eval( $php_query_raw ); // Execute the user code - main culprit
        ob_get_clean(); // Get the captured output
        
        return $user_result; // Return the user code result
    };
    
    // CUT OUT FOR CLARITY
}

To exploit this vulnerability, an attacker needs to find a way to make Bricks Builder execute the code with user-controlled input for $php_query_raw. This can be achieved through the Bricks\Ajax::render_element($element) method, which is used to display previews of blocks and elements inside the editor. By crafting a malicious request to the admin-ajax.php endpoint or utilizing the WordPress Rest API, an attacker can trigger the execution of arbitrary code.

Bricks\Query class | source

There is a permission check in place within the Ajax::render_element_permissions_check method; however, it only verifies the presence of a valid nonce, which is insufficient to prevent unauthorized access. Bricks Builder outputs a valid nonce for every request in the frontend, even for unauthenticated users, making it possible for attackers to obtain a valid nonce.

for deatiled analysis visit : https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6

Impact:

The unauthenticated RCE vulnerability in Bricks Builder versions <= 1.9.6 allows attackers to execute arbitrary commands on the target server. This can lead to complete compromise of the affected WordPress site, enabling unauthorized access, data theft, and further exploitation of the server for malicious purposes. As the vulnerability can be exploited by unauthenticated users, the attack surface is significantly wider, exposing a large number of websites to potential exploitation.

Active exploitation underway

According to bleepingcomputer :

Patchstack also shared complete details for CVE-2024–25600, after detecting active exploitation attempts that started on February 14.

The company explains that the flaw arises from executing user-controlled input via the eval function in prepare_query_vars_from_settings, with $php_query_raw constructed from queryEditor.

Exploitating this security risk is possible through REST API endpoints for server-side rendering, despite a nonce check in render_element_permissions_check, due to publicly accessible nonces and inadequate permission checks, which allow unauthenticated access.

Patchstack says it has observed in the post-exploitation phase that the attackers used specific malware that can disable security plugins like Wordfence and Sucuri.

The following IP addresses have been associated with most of the attacks:

  • 200.251.23[.]57
  • 92.118.170[.]216
  • 103.187.5[.]128
  • 149.202.55[.]79
  • 5.252.118[.]211
  • 91.108.240[.]52

Wordfence also confirmed the active exploitation status of CVE-2024–25600, and reported seeing 24 detections in the past day.

Proof of Concept (PoC):

A PoC demonstrating the exploitability of the vulnerability has been provided by the researcher who discovered the issue. You can find the PoC code in the following GitHub repository: CVE-2024–25600 PoC.

Mitigation and Recommendations:

The Bricks Builder development team has been notified of the vulnerability and has promptly released version 1.9.6.1, which addresses this issue. It is crucial for all Bricks Builder users to upgrade to Bricks Builder version 1.9.6.1 (or higher) immediately to protect their websites from potential exploitation.

What should you do?

Immediately update your Bricks plugin to version 1.9.6.1 or higher. This patched version addresses the vulnerability and significantly improves your website’s security. Here’s how to update:

  1. Login to your WordPress dashboard.
  2. Navigate to Plugins > Installed Plugins.
  3. Find the Bricks plugin and click Update Now.

In addition to upgrading to the latest version, it is essential to follow security best practices when using plugins and themes on WordPress websites:

Additional security measures:

  • Disable the Bricks REST API if not actively used. This further reduces the attack surface.
  • Regularly update all your WordPress plugins and themes. Outdated software often contains security vulnerabilities.
  • Implement a strong web application firewall (WAF). This can help block malicious requests before they reach your website.
  • Consider using a security plugin. These plugins can provide additional protection against various threats.
  • Only download and install plugins and themes from trusted sources, such as the official WordPress repository.
  • Enable automatic updates for plugins and themes whenever possible to ensure timely application of security patches. (optional but recommended)
  • Regularly monitor security advisories and vulnerability databases for any reported issues related to the plugins and themes you are using.
  • Consider implementing a web application firewall (WAF) to provide an additional layer of protection against known vulnerabilities.

Conclusion:

The CVE-2024–25600 vulnerability in Bricks Builder plugin for WordPress exposes websites to potential remote code execution by unauthenticated attackers. By upgrading to Bricks Builder version 1.9.6.1 or higher and following security best practices, website owners can mitigate the risks and protect their sites from this critical vulnerability. It is essential to promptly apply patches and stay vigilant to ensure the security and integrity of your WordPress websites.

For more technical details and a comprehensive analysis of the vulnerability, please refer to the following technical analysis link: CVE-2024–25600 Technical Analysis.

Note: This blog post is for informational purposes only and does not endorse or promote any malicious activities.

Follow Me on :

Linkedin | Github

Cybersecurity
Rce Vulnerability
WordPress
Vulnerability

--

--

The Cyber Tornado
The Cyber Tornado

Written by The Cyber Tornado

6 Followers
0 Following

Security Researcher

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams