CVE-2022-3401

2022-10-2819:15:09

[email protected]

web.nvd.nist.gov

bricks

wordpress

theme

vulnerability

remote code execution

cve-2022-3401

nvd

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.9 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

66.4%

JSON

The Bricks theme for WordPress is vulnerable to remote code execution due to the theme allowing site editors to include executable code blocks in website content in versions 1.2 to 1.5.3. This, combined with the missing authorization vulnerability (CVE-2022-3400), makes it possible for authenticated attackers with minimal permissions, such as a subscriber, can edit any page, post, or template on the vulnerable WordPress website and inject a code execution block that can be used to achieve remote code execution.

Affected configurations

Vulners

NVD

Node

bricks_builderbricksRange1.2–1.5.3

CPENameOperatorVersion
bricksbuilder:bricksbricksbuilder brickslt1.5.4

CPE	Name	Operator	Version
bricksbuilder:bricks	bricksbuilder bricks	lt	1.5.4

CNA Affected

[
  {
    "vendor": "Bricks Builder",
    "product": "Bricks",
    "versions": [
      {
        "version": "1.2",
        "status": "affected",
        "lessThanOrEqual": "1.5.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]