Threat actors are actively using a serious security vulnerability in the WordPress Bricks theme to force arbitrary PHP code to run on vulnerable installations.
The vulnerability, identified as CVE-2024-25600 (CVSS score: 9.8), allows remote code execution to be accomplished by unauthorised attackers. It affects every Bricks version up to and including 1.9.6.
Only a few days after WordPress security company Snicco discovered the vulnerability on February 10, the theme developers fixed it in version 1.9.6.1, which was published on February 13, 2024.
Although a proof-of-concept (PoC) exploit has not yet been made public, Snicco and Patchstack have both published technical data pointing to the prepare_query_vars_from_settings() function as the location of the underlying susceptible code.
It specifically relates to the usage of security tokens known as “nonces” to confirm rights. Once permissions are verified, these tokens can be used to convey arbitrary orders for execution, so giving a threat actor the ability to take over a targeted website.
According to Patchstack, the nonce value is accessible to the public on a WordPress website’s front end and no suitable role checks have been implemented.
WordPress notes in its documentation that “Nonces should never be relied upon for authentication, authorization, or access control.” “Protect your functions using current_user_can(), and always assume nonces can be compromised.”
As of February 19, 2024, WordPress security firm Wordfence reported that more than thirty attack attempts had been made using the vulnerability. It is said that attempts at exploitation started on February 14, the day following the announcement to the public.
These IP addresses are responsible for the majority of the attacks:
200.251.23[.]57
92.118.170[.]216
103.187.5[.]128
149.202.55[.]79
5.252.118[.]211
91.108.240[.]52
There are thought to be 25,000 or so operational installations of Bricks at the moment. It is advised that plugin users apply the most recent patches to reduce any potential risks.