WordPress Bricks Builder Theme - Unauthenticated RCE (CVE-2024-25600)
An unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2024-25600) exists in the WordPress Bricks Builder Theme up to version 1.9.6, allowing attackers to exploit the 'render_element' endpoint by first extracting a nonce from the page source, then injecting PHP code to execute arbitrary operating system commands on the underlying web server, with a public exploit now available.
A critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2024-25600, has been disclosed and publicly exploited in the WordPress Bricks Builder Theme versions up to and including 1.9.6. Attackers can leverage the render_element endpoint, which is part of the theme's AJAX functionality, to execute arbitrary operating system commands on the compromised WordPress server. This exploitation begins with an initial request to retrieve a valid nonce from the page source, which is then used in a subsequent crafted POST request to the vulnerable endpoint. The availability of a working public exploit, identified as EDB-52619 on Exploit-DB, significantly elevates the risk, making unpatched WordPress installations using Bricks Builder Theme prime targets for immediate compromise by a broad range of malicious actors.
Attack Chain
- Initial Access: An unauthenticated attacker targets a public-facing WordPress instance running the vulnerable Bricks Builder Theme (version <= 1.9.6).
- Information Gathering: The attacker sends a GET request to the target WordPress site to retrieve the HTML source code of any page.
- Defense Evasion (Nonce Extraction): The attacker parses the HTML response to locate a
<script>tag with the IDbricks-scripts-js-extraand extracts thenoncevalue from its content using a regular expression. - Execution - PHP Code Injection: The attacker crafts a malicious JSON payload containing the extracted
nonceand PHP code designed to execute arbitrary OS commands using PHP's backtick operator (e.g.,`command`). - Exploitation Request: A POST request is sent to either
/wp-json/bricks/v1/render_elementor/?rest_route=/bricks/v1/render_elementwith the crafted JSON payload, triggering the RCE. - Command and Control: Upon successful exploitation, the attacker achieves remote code execution and can establish an interactive shell or execute further commands to maintain persistence, exfiltrate data, or deploy additional malware.
Impact
Successful exploitation of CVE-2024-25600 results in unauthenticated remote code execution on the underlying server hosting the WordPress installation. This grants attackers full control over the compromised web server, allowing them to steal sensitive data, deface the website, inject malware, pivot to other systems within the network, or establish persistent backdoors. Given the widespread use of WordPress and its themes, the potential number of vulnerable instances is high, making this a critical threat to organizations relying on Bricks Builder Theme.
Recommendation
- Immediately update the WordPress Bricks Builder Theme to a patched version (1.9.7 or newer) to remediate CVE-2024-25600.
- Deploy the
Detect CVE-2024-25600 Exploitation - Bricks Builder RCESigma rule to your SIEM and tune for your environment to identify exploitation attempts. - Monitor
webserverlogs for suspicious POST requests containing PHP code injection patterns to the/wp-json/bricks/v1/render_elementor/?rest_route=/bricks/v1/render_elementendpoints.
Detection coverage 1
Detect CVE-2024-25600 Exploitation - Bricks Builder RCE
highDetects exploitation attempts for CVE-2024-25600, an unauthenticated RCE vulnerability in WordPress Bricks Builder Theme via specific API endpoints and PHP command injection.
Detection queries are available on the platform. Get full rules →