A critical vulnerability in the Bricks Builder site builder for WordPress, identified as CVE-2024-25600, is currently under active exploitation, and poses a significant threat to over 25,000 sites. This flaw, with a CVSS score of 9.8, is an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary PHP code on affected websites, granting them the potential to take full control. The vulnerability resides in the prepare_query_vars_from_settings() function, specifically related to the improper use of security tokens known as “nonces” for verifying permissions. WordPress security firms have already observed numerous exploitation attempts, and urge users to update their installations immediately to safeguard against potential attacks.
While a public exploit was just released, Imperva Threat Research has only seen a handful of attempts using this exploit, although we expect to see numbers increase in the coming days. Imperva Threat Research has also observed exploitation attempts not listed in the PoC, with attackers trying to install PHP-based webshells to gain access to the servers running these sites, and successfully blocked the malicious attempts.
Imperva customers are protected against CVE-2024-25600. Imperva Cloud WAF and On-Prem customers with SecureSphere Emergency Feed enabled are protected out of the box. On-Prem customers without Emergency Feed will need to manually add the signature published via our Customer Portal. Even with protection, we urge our customers to remain vigilant and update their systems with the latest security patches.
Try Imperva for Free
Protect your business for 30 days on Imperva.
