{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/bricks-builder/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":10,"id":"CVE-2024-25600"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Bricks Builder Theme \u003c 1.9.7"],"_cs_severities":["high"],"_cs_tags":["wordpress","rce","webapps","exploit-db","cve"],"_cs_type":"advisory","_cs_vendors":["Bricks Builder"],"content_html":"\u003cp\u003eA critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2024-25600, has been disclosed and publicly exploited in the WordPress Bricks Builder Theme versions up to and including 1.9.6. Attackers can leverage the \u003ccode\u003erender_element\u003c/code\u003e endpoint, which is part of the theme's AJAX functionality, to execute arbitrary operating system commands on the compromised WordPress server. This exploitation begins with an initial request to retrieve a valid nonce from the page source, which is then used in a subsequent crafted POST request to the vulnerable endpoint. The availability of a working public exploit, identified as EDB-52619 on Exploit-DB, significantly elevates the risk, making unpatched WordPress installations using Bricks Builder Theme prime targets for immediate compromise by a broad range of malicious actors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An unauthenticated attacker targets a public-facing WordPress instance running the vulnerable Bricks Builder Theme (version \u0026lt;= 1.9.6).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Gathering\u003c/strong\u003e: The attacker sends a GET request to the target WordPress site to retrieve the HTML source code of any page.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion (Nonce Extraction)\u003c/strong\u003e: The attacker parses the HTML response to locate a \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e tag with the ID \u003ccode\u003ebricks-scripts-js-extra\u003c/code\u003e and extracts the \u003ccode\u003enonce\u003c/code\u003e value from its content using a regular expression.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution - PHP Code Injection\u003c/strong\u003e: The attacker crafts a malicious JSON payload containing the extracted \u003ccode\u003enonce\u003c/code\u003e and PHP code designed to execute arbitrary OS commands using PHP's backtick operator (e.g., \u003ccode\u003e`command`\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation Request\u003c/strong\u003e: A POST request is sent to either \u003ccode\u003e/wp-json/bricks/v1/render_element\u003c/code\u003e or \u003ccode\u003e/?rest_route=/bricks/v1/render_element\u003c/code\u003e with the crafted JSON payload, triggering the RCE.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control\u003c/strong\u003e: Upon successful exploitation, the attacker achieves remote code execution and can establish an interactive shell or execute further commands to maintain persistence, exfiltrate data, or deploy additional malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-25600 results in unauthenticated remote code execution on the underlying server hosting the WordPress installation. This grants attackers full control over the compromised web server, allowing them to steal sensitive data, deface the website, inject malware, pivot to other systems within the network, or establish persistent backdoors. Given the widespread use of WordPress and its themes, the potential number of vulnerable instances is high, making this a critical threat to organizations relying on Bricks Builder Theme.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the WordPress Bricks Builder Theme to a patched version (1.9.7 or newer) to remediate CVE-2024-25600.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetect CVE-2024-25600 Exploitation - Bricks Builder RCE\u003c/code\u003e Sigma rule to your SIEM and tune for your environment to identify exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003ewebserver\u003c/code\u003e logs for suspicious POST requests containing PHP code injection patterns to the \u003ccode\u003e/wp-json/bricks/v1/render_element\u003c/code\u003e or \u003ccode\u003e/?rest_route=/bricks/v1/render_element\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T13:26:28Z","date_published":"2026-07-07T13:26:28Z","id":"https://feed.craftedsignal.io/briefs/2026-07-wordpress-bricks-rce/","summary":"An unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2024-25600) exists in the WordPress Bricks Builder Theme up to version 1.9.6, allowing attackers to exploit the 'render_element' endpoint by first extracting a nonce from the page source, then injecting PHP code to execute arbitrary operating system commands on the underlying web server, with a public exploit now available.","title":"WordPress Bricks Builder Theme - Unauthenticated RCE (CVE-2024-25600)","url":"https://feed.craftedsignal.io/briefs/2026-07-wordpress-bricks-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Bricks Builder","version":"https://jsonfeed.org/version/1.1"}