Hackers are actively exploiting a critical remote code execution (RCE) flaw impacting the Brick Builder Theme to run malicious PHP code on vulnerable sites.
The Bricks Builder Theme is a premium WordPress theme described as an innovative, community-driven visual site builder. With around 25,000 active installations, the product promotes user friendliness and customization in website design.
On February 10, a researcher named ‘snicco’ discovered a vulnerability currently tracked as CVE-2024-25600 that impacts the Brick Builder Theme installed with its default configuration.
The security issue is due to an eval function call in the ‘prepare_query_vars_from_settings’ function, which could allow an unauthenticated user to exploit it to execute arbitrary PHP code.
The Patchstack platform for security vulnerabilities in WordPress received the report and notified the Bricks team. A fix became available on February 13 with the release of version 1.9.6.1.
The vendor’s advisory noted at the time that there was no evidence of the flaw being exploited but urged users to upgrade to the latest version as soon as possible.
“As of the time of this release, there’s no evidence that this vulnerability has been exploited. However, the potential for exploitation increases the longer the update to 1.9.6.1 is delayed,” reads Bricks’ bulletin.
“Update all your Bricks sites to the latest Bricks 1.9.6.1 as soon as possible. But at least within the next 24 hours. The earlier, the better,” the developer urged administrators.
On the same day, snicco disclosed some details about the vulnerability. Today, the researcher updated the original post to include a demo for the attack but not the exploit code.
Active exploitation underway
In a post today, Patchstack also shared complete details for CVE-2024-25600, after detecting active exploitation attempts that started on February 14.
The company explains that the flaw arises from executing user-controlled input via the eval function in prepare_query_vars_from_settings, with $php_query_raw constructed from queryEditor.
Exploitating this security risk is possible through REST API endpoints for server-side rendering, despite a nonce check in render_element_permissions_check, due to publicly accessible nonces and inadequate permission checks, which allow unauthenticated access.
Patchstack says it has observed in the post-exploitation phase that the attackers used specific malware that can disable security plugins like Wordfence and Sucuri.
The following IP addresses have been associated with most of the attacks:
- 200.251.23.57
- 92.118.170.216
- 103.187.5.128
- 149.202.55.79
- 5.252.118.211
- 91.108.240.52
Wordfence also confirmed the active exploitation status of CVE-2024-25600, and reported seeing 24 detections in the past day.
Bricks users are recommended to upgrade to version 1.9.3.1 immediately either by navigating “Appearance > Themes” in the WordPress dashboard and clicking “update,” or manually from here.