Hackers are actively running malicious PHP code on websites that are vulnerable by taking advantage of a crucial remote code execution (RCE ) flaw in the Brick Builder Theme.
A premium WordPress theme called The Bricks Builder Theme is a creative, community-driven visual site builder. With about 25,000 active installations, the website design’s product andnbsp, promotes, and customization features.
A vulnerability known as CVE-2024-25600 that affects , the Brick Builder Theme installed with its default configuration, was found on February 10 by a researcher by the name of” snicco.”
An eval function call in the “prepare_query_vars_from_settings” function, which could be used by an unauthenticated user to run arbitrary PHP code, is the source of the security flaw.
The Bricks team was informed after the report was received by WordPress ‘ Patchstack platform for security flaws. With the release of version 1. 9.6.1 on February 13, a fix was made available.
Users were urged to upgrade to the most recent version as soon as possible despite the vendor’s advisory noting at the time that there was  , no indication that the flaw was being exploited.
There is no proof that this vulnerability has been taken advantage of as of the time of this release. The longer the update to 1. 9.6.1 is delayed, the more potential there is for exploitation, according to Bricks ‘ bulletin.
As soon as you can, update all of your Bricks websites to the most recent version 1. 9.6.1. but at the very least, within the following day. The developer advised administrators to act sooner rather than later.
Snicco revealed some information about the vulnerability on the same day. Today, the researcher added , an attack demo but omitting the exploit code, to the original post.
Exploitation is currently underway
Patchstack discovered active exploitation attempts that began on February 14 and posted all of the information for CVE-2024-25600 in a post today.
According to the company, the flaw results from using the prepare_query_vars_from_settings eval function, which is built from queryEditor, to execute user-controlled input.
Despite a nonce check in render_element_permissions_check caused by publicly accessible nonces and insufficient permission checks that permit unauthenticated access, REST API endpoints for server-side rendering can take advantage of this security risk.
According to Patchstack, the attackers used particular malware that can disable security plugins like Wordfence and Sucuri during the post-exploitation phase.
Most attacks have been linked to the following IP addresses:
- 200.251.23.57
- 92.118.170.216
- 103.187.5.128
- 149.202.55.79
- 5.252.118.211
- 91.108.240.52
Wordfence reported , reporting 24 detections in the previous day, and confirmed the active exploitation status of CVE-2024-25600.
Users of Bricks are advised to upgrade to version 1. 9.3.1 right away, either manually from this page or by going to” Appearance >, Themes” in the WordPress dashboard and clicking “update.”