Connect with us

Hi, what are you looking for?



Websites Hacked via Vulnerability in Bricks Builder WordPress Plugin

Attackers are exploiting a recent remote code execution flaw in the Bricks Builder WordPress plugin to deploy malware.

Attackers are exploiting a recently patched vulnerability in the Bricks Builder plugin for WordPress to hack websites and deploy malware, WordPress security company Patchstack reports.

The issue, tracked as CVE-2024-25600, is described as a remote code execution (RCE) flaw that can be exploited without authentication to execute arbitrary PHP code on an affected WordPress website.

The bug was identified in the ‘prepare_query_vars_from_settings’ function, which is called from different processes in the code, including the Bricks\Query class, which manages the rendering of WordPress post queries, and which uses PHP’s eval function, security researcher Calvin Alkan explains.

An analysis of the process calls revealed that no proper permissions or role checks were applied when a function handling a REST API endpoint was involved.

Because the function only checks for a nonce value and Bricks outputs a valid nonce in the frontend of a WordPress site, even for unauthenticated users, an attacker can easily retrieve the nonce and trigger the RCE. On Monday, the security researcher published proof-of-concept (PoC) code for this bug.

“Note that this vulnerability can be reproduced with an unauthenticated user with the default installation configuration of the theme,” Patchstack points out.

According to the security firm, threat actors are already exploiting the vulnerability and, in some cases, they deploy malware specifically designed to disable security plugins.

Bricks announced patches for the vulnerability on February 13, when Bricks Builder version was released, urging users to update as soon as possible.

Advertisement. Scroll to continue reading.

“As of the time of this release, there’s no evidence that this vulnerability has been exploited. However, the potential for exploitation increases the longer the update to is delayed. We advise you to update all your Bricks sites immediately,” Bricks said.

The first exploitation attempts were observed on February 14 and Patchstack says that the attacks are originating from multiple IP addresses.

Bricks Builder is a visual site builder for WordPress that does not require technical expertise to use. Its premium version has roughly 25,000 active installations.

Related: Flaws in Backup Migration and Elementor WordPress Plugins Allow Remote Code Execution

Related: WordPress 6.4.2 Patches Remote Code Execution Vulnerability

Related: WordPress Websites Hacked via Royal Elementor Plugin Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.