Threat actors actively use a critical security flaw in the WordPress Bricks theme to run arbitrary PHP code on vulnerable installations.
Unauthenticated attackers can execute remote code thanks to the flaw, which is identified as CVE-2024-25600 ( CVSS score: 9.8 ). It has an effect on all Bricks versions up to and including 1. 9.6.
Just days after WordPress security provider Snicco reported the flaw on February 10, 2024, the theme developers fixed it in version 1. 9.6.1, which was released on that date.
Technical information has been made available by Snicco and Patchstack, noting that the prepare_query_vars_from_settings ( ) function contains the underlying vulnerable code even though a proof-of-concept ( PoC ) exploit has not yet been released.
It specifically relates to the use of security tokens known as “nonces” to validate permissions before passing arbitrary commands for execution, enabling a threat actor to take over an intended website.
Patchstack added that there are n’t enough role checks in place and that the nonce value is publicly accessible on a WordPress site’s frontend.
WordPress issues a warning in its documentation, saying that” Nonces should never be relied upon for authentication, authorization, or access control.” ” Assume nonces can be compromised and use current_user_can ( ) to protect your functions.”
As of February 19, 2024, Wordfence, a WordPress security company, had identified more than thirty attack attempts that took advantage of the flaw. On February 14, the day following public disclosure, exploitation attempts are rumored to have started.
The following IP addresses are responsible for the majority of attacks:
- 200.251.23[.]57
- 92.118.170[.]216
- 103.187.5[.]128
- 149.202.55[.]79
- 5.252.118[.]211
- 91.108.240[.]52
There are reportedly about 25,000 active brick installations. To reduce potential threats, plugin users are advised to use the most recent patches.