CVE-2022-3401

2022-10-2818:12:10

Wordfence

www.cve.org

bricks theme

wordpress

remote code execution

executable code blocks

missing authorization vulnerability

cve-2022-3400

authenticated attackers

minimal permissions

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

66.5%

JSON

The Bricks theme for WordPress is vulnerable to remote code execution due to the theme allowing site editors to include executable code blocks in website content in versions 1.2 to 1.5.3. This, combined with the missing authorization vulnerability (CVE-2022-3400), makes it possible for authenticated attackers with minimal permissions, such as a subscriber, can edit any page, post, or template on the vulnerable WordPress website and inject a code execution block that can be used to achieve remote code execution.

CNA Affected

[
  {
    "vendor": "Bricks Builder",
    "product": "Bricks",
    "versions": [
      {
        "version": "1.2",
        "status": "affected",
        "lessThanOrEqual": "1.5.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]