Hackers have targeted the Bricks Builder Theme, a renowned WordPress site builder, exploiting a severe remote code execution (RCE) flaw that impacts over 25,000 active installations. Discovered by researcher ‘snicco’ on February 10 and tracked as CVE-2024-25600, this vulnerability enables malicious actors to execute PHP code on susceptible websites. While there is no evidence of exploitation at the time of discovery, the potential threat prompted a swift response from the Patchstack platform, which notified the Bricks team. The release of version 1.9.6.1 on February 13 offered a fix, urging users to upgrade promptly to mitigate risks.
Despite the initial lack of exploitation evidence, subsequent updates revealed active exploitation attempts detected by Patchstack starting from February 14. The flaw, originating from user-controlled input execution via the eval function, poses a significant risk, particularly through REST API endpoints for server-side rendering. Attackers exploit publicly accessible nonces and inadequate permission checks to gain unauthenticated access, highlighting the urgency for users to update to version 1.9.6.1 to prevent potential breaches.
Patchstack’s disclosure of complete details for CVE-2024-25600 sheds light on the post-exploitation phase, where attackers deploy specific malware to disable security plugins like Wordfence and Sucuri. Additionally, IP addresses associated with most attacks are identified, contributing to the ongoing effort to mitigate risks and protect vulnerable websites. Wordfence’s confirmation of active exploitation underscores the severity of the situation, prompting urgent action among Bricks users to upgrade their themes immediately through the WordPress dashboard or manual updates.
In response to the escalating threat, administrators and website owners are strongly advised to prioritize the security of their Bricks Builder Theme installations by promptly updating to version 1.9.6.1. Failure to do so exposes websites to potential exploitation, data breaches, and unauthorized access. Heightened vigilance and proactive measures, including monitoring for suspicious activity and applying security patches promptly, are essential to safeguarding against evolving cyber threats in the WordPress ecosystem.
