Advisory No: TZCERT/SA/2024/02/22
Date of First Release: 22nd February 2024
Source: WordPress plugin Bricks Builder
Software Affected: Bricks Builder versions 1.9.6 and earlier
Overview:
WordPress has released security updates to address a critical vulnerability (CVE-2024-25600) impacting their Bricks Builder Plug-in. Successful exploitation of the vulnerability may allow an attacker to perform remote code execution and gain control of the server.
Description:
CVE-2024-25600 (CVSS score of 9.8) is due to an eval function call in the ‘prepare_query_vars_from_settings’ function, which could allow an unauthenticated user to exploit it to execute arbitrary PHP code.
Impact:
Successful exploitation of this vulnerability may allow a remote attacker to take control of the affected system.
Solution:
Users and administrators of affected product versions are advised to update to the latest version immediately.
References:
- https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-021
- https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-rce-flaw-in-bricks-wordpress-site-builder/