Attackers are exploiting a recently patched vulnerability in the Bricks Builder plugin for WordPress to hack websites and deploy malware, WordPress security company Patchstack reports.
The issue, tracked as CVE-2024-25600, is described as a remote code execution (RCE) flaw that can be exploited without authentication to execute arbitrary PHP code on an affected WordPress website.
The bug was identified in the ‘prepare_query_vars_from_settings’ function, which is called from different processes in the code, including the Bricks\Query class, which manages the rendering of WordPress post queries, and which uses PHP’s eval function, security researcher Calvin Alkan explains.
An analysis of the process calls revealed that no proper permissions or role checks were applied when a function handling a REST API endpoint was involved.
Because the function only checks for a nonce value and Bricks outputs a valid nonce in the frontend of a WordPress site, even for unauthenticated users, an attacker can easily retrieve the nonce and trigger the RCE. On Monday, the security researcher published proof-of-concept (PoC) code for this bug.
“Note that this vulnerability can be reproduced with an unauthenticated user with the default installation configuration of the theme,” Patchstack points out.
According to the security firm, threat actors are already exploiting the vulnerability and, in some cases, they deploy malware specifically designed to disable security plugins.
Bricks announced patches for the vulnerability on February 13, when Bricks Builder version 1.9.6.1 was released, urging users to update as soon as possible.
“As of the time of this release, there’s no evidence that this vulnerability has been exploited. However, the potential for exploitation increases the longer the update to 1.9.6.1 is delayed. We advise you to update all your Bricks sites immediately,” Bricks said.
The first exploitation attempts were observed on February 14 and Patchstack says that the attacks are originating from multiple IP addresses.
Bricks Builder is a visual site builder for WordPress that does not require technical expertise to use. Its premium version has roughly 25,000 active installations.
Related: Flaws in Backup Migration and Elementor WordPress Plugins Allow Remote Code Execution
Related: WordPress 6.4.2 Patches Remote Code Execution Vulnerability
Related: WordPress Websites Hacked via Royal Elementor Plugin Zero-Day