Hackers are actively exploiting a critical remote code execution flaw impacting the Brick Builder Theme to run malicious PHP code on vulnerable sites.
The Bricks Builder Theme is a premium WordPress theme described as an innovative, community-driven visual site builder.
With around 25,000 active installations, the product promotes user friendliness and customization in website design.
On February 10, a researcher named 'snicco' discovered a vulnerability currently tracked as CVE-2024-25600 that impacts the Brick Builder Theme installed with its default configuration.
The security issue is due to an eval function call in the 'prepare query vars from settings' function, which could allow an unauthenticated user to exploit it to execute arbitrary PHP code.
The Patchstack platform for security vulnerabilities in WordPress received the report and notified the Bricks team.
A fix became available on February 13 with the release of version 1.9.6.1.
The vendor's advisory noted at the time that there was no evidence of the flaw being exploited but urged users to upgrade to the latest version as soon as possible.
On the same day, snicco disclosed some details about the vulnerability.
Today, the researcher updated the original post to include a demo for the attack but not the exploit code.
In a post today, Patchstack also shared complete details for CVE-2024-25600, after detecting active exploitation attempts that started on February 14.
The company explains that the flaw arises from executing user-controlled input via the eval function in prepare query vars from settings, with $php query raw constructed from queryEditor.
Exploitating this security risk is possible through REST API endpoints for server-side rendering, despite a nonce check in render element permissions check, due to publicly accessible nonces and inadequate permission checks, which allow unauthenticated access.
Patchstack says it has observed in the post-exploitation phase that the attackers used specific malware that can disable security plugins like Wordfence and Sucuri.
Wordfence also confirmed the active exploitation status of CVE-2024-25600, and reported seeing 24 detections in the past day.
SolarWinds fixes critical RCE bugs in access rights audit solution.
JetBrains warns of new TeamCity auth bypass vulnerability.
45k Jenkins servers exposed to RCE attacks using public exploits.
Exploits released for critical Jenkins RCE flaw, patch now.
Hackers target WordPress database plugin active on 1 million sites.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 19 Feb 2024 18:00:46 +0000