CVE-2024-25600: WordPress’s Bricks Builder RCE Flaw Under Attack

A critical remote code execution (RCE) vulnerability (CVE-2024-25600, CVSS 9.8) has been discovered in the widely used WordPress site builder, Bricks Builder. This vulnerability is actively being exploited, rendering affected websites at significant risk.

CVE-2024-25600

With approximately 25,000 active installations, Bricks Builder is a popular WordPress development theme. It provides an intuitive drag-and-drop interface to design and build your WordPress website visually. You see the changes you make in real time, eliminating the need to switch between editing and preview modes.

This vulnerability allows hackers to execute their code on your WordPress website without needing any special access or permissions.

This makes it possible for unauthenticated attackers to execute code on the server,” Wordfence warned.

This enables them to potentially:

  • Install malware or backdoors
  • Steal sensitive data
  • Deface your website
  • Use your server for further attacks

Bricks Builder has released a patch (version 1.9.6.1). If you use Bricks Builder, you MUST update to this version immediately to secure your site. The longer you wait, the higher the risk that attackers will exploit your website.

As of the time of this release, there’s no evidence that this vulnerability has been exploited. However, the potential for exploitation increases the longer the update to 1.9.6.1 is delayed,” Bricks Builder wrote on the changelog.

We advise you to update all your Bricks sites immediately.

Updating Bricks Builder is usually a straightforward process directly within your WordPress dashboard. For step-by-step instructions, refer to the Bricks Builder website or their official documentation.

While initially thought to be unexploited, security experts at Wordfence have confirmed multiple attacks targeting CVE-2024-25600 in the last 24 hours. The threat is real and immediate.

This Bricks Builder Theme vulnerability is currently being exploited and we are seeing attacks from several IP addresses, most of the attacks are from the following IP addresses:

  • 200.251.23.57
  • 92.118.170.216
  • 103.187.5.128
  • 149.202.55.79
  • 5.252.118.211
  • 91.108.240.52

We are also aware of one of the malware that is specifically used on a post-exploitation process of this vulnerability. This malware has a built-in feature to disable some of the security-related plugins such as Wordfence and Sucuri,”  reads the Patchstack security advisory

This incident reinforces the importance of staying vigilant with updates and patches, even for reputable themes and plugins. Don’t let your website become an easy target – update Bricks Builder NOW!