Hackers are actively exploiting a vital distant code execution (RCE) flaw impacting the Brick Builder Theme to run malicious PHP code on weak websites.
The Bricks Builder Theme is a premium WordPress theme described as an modern, community-driven visible web site builder. With round 25,000 lively installations, the product promotes person friendliness and customization in web site design.
On February 10, a researcher named ‘snicco’ found a vulnerability presently tracked as CVE-2024-25600 that impacts the Brick Builder Theme put in with its default configuration.
The security subject is because of an eval perform name within the ‘prepare_query_vars_from_settings’ perform, which might enable an unauthenticated person to take advantage of it to execute arbitrary PHP code.
The Patchstack platform for security vulnerabilities in WordPress acquired the report and notified the Bricks group. A repair grew to become out there on February 13 with the discharge of model 1.9.6.1.
The seller’s advisory famous on the time that there was no proof of the flaw being exploited however urged customers to improve to the most recent model as quickly as doable.
“As of the time of this launch, there’s no proof that this vulnerability has been exploited. Nevertheless, the potential for exploitation will increase the longer the replace to 1.9.6.1 is delayed,” reads Bricks’ bulletin.
“Replace all of your Bricks websites to the most recent Bricks 1.9.6.1 as quickly as doable. However at the very least throughout the subsequent 24 hours. The sooner, the higher,” the developer urged directors.
On the identical day, snicco disclosed some particulars concerning the vulnerability. Right now, the researcher up to date the unique publish to incorporate a demo for the assault however not the exploit code.
Lively exploitation underway
In a publish immediately, Patchstack additionally shared full particulars for CVE-2024-25600, after detecting lively exploitation makes an attempt that began on February 14.
The corporate explains that the flaw arises from executing user-controlled enter by way of the eval perform in prepare_query_vars_from_settings, with $php_query_raw constructed from queryEditor.
Exploitating this security danger is feasible by means of REST API endpoints for server-side rendering, regardless of a nonce test in render_element_permissions_check, because of publicly accessible nonces and insufficient permission checks, which permit unauthenticated entry.
Patchstack says it has noticed within the post-exploitation section that the attackers used particular malware that may disable security plugins like Wordfence and Sucuri.
The next IP addresses have been related to a lot of the assaults:
- 200.251.23.57
- 92.118.170.216
- 103.187.5.128
- 149.202.55.79
- 5.252.118.211
- 91.108.240.52
Wordfence additionally confirmed the lively exploitation standing of CVE-2024-25600, and reported seeing 24 detections prior to now day.
Bricks customers are really helpful to improve to model 1.9.3.1 instantly both by navigating “Look > Themes” within the WordPress dashboard and clicking “replace,” or manually from right here.
