Critical Vulnerability in WordPress Bricks Plug-in (CVE-2024-25600)

Advisory No: TZCERT/SA/2024/02/22

Date of First Release: 22^nd February 2024

Source: WordPress plugin Bricks Builder

Software Affected: Bricks Builder versions 1.9.6 and earlier

Overview:

WordPress has released security updates to address a critical vulnerability (CVE-2024-25600) impacting their Bricks Builder Plug-in. Successful exploitation of the vulnerability may allow an attacker to perform remote code execution and gain control of the server.

Description:

CVE-2024-25600 (CVSS score of 9.8) is due to an eval function call in the ‘prepare_query_vars_from_settings’ function, which could allow an unauthenticated user to exploit it to execute arbitrary PHP code.

Impact:

Successful exploitation of this vulnerability may allow a remote attacker to take control of the affected system.

Solution:

Users and administrators of affected product versions are advised to update to the latest version immediately.

References:

1. https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-021
2. https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-rce-flaw-in-bricks-wordpress-site-builder/