What is CVE-2024-25600?

An unauthenticated remote code execution in the Bricks Builder WordPress theme. A REST endpoint passed user-supplied input into eval() without authentication. Versions 1.0 through 1.9.6 were affected; 1.9.6.1 patched. Disclosed February 2024 with active exploitation reported within days.

How quickly was it exploited?

Mass scanning and exploitation began within 24 hours of the public disclosure. Multiple security firms reported tens of thousands of attempts per day against vulnerable installs. Any site running an affected version while exposed to the public internet during that window should be considered compromised by default.

Bricks is a paid theme. Does that mean it's safer?

Paid plugins and themes have the same exposure profile as free ones once they're running on a server reachable from the internet. Premium status doesn't change the math.

I updated. Why do I still need a cleanup?

Updating closes the door for new attempts. It doesn't remove anything an attacker planted before the update. If the site was vulnerable during any part of the exploit window, you need a forensic look — file diffs, database review, admin user audit — to be sure nothing was left behind.

CVE-2024-25600 · Unauth RCE · Bricks theme

Bricks Builder RCE cleanup.

Bricks Builder versions 1.0–1.9.6 had an unauthenticated RCE that was mass-exploited within 24 hours of disclosure. If your site ran an affected version, treat it as compromised until proven otherwise. I clean it manually. Flat $279.

Start a cleanup About the bug

What the bug was

User input → eval(), no authentication.

Bricks Builder exposed a REST route that parsed user-supplied PHP expressions and ran them through eval(). The endpoint did not require authentication. Any unauthenticated visitor could execute arbitrary PHP on the server.

Affected: 1.0 through 1.9.6. Patched: 1.9.6.1, released February 13, 2024. The patch was a forced update for licensed installs, but anyone using a pirated copy or a stale cache got hit.

Indicators

What attackers leave behind.

Access log
POSTs to /wp-json/bricks/v1/render_element with a 200 response. Common indicator: many such requests within minutes from a small set of IPs.
Files
Fresh PHP in wp-content/uploads/ — frequently named to look mundane (cache.php, index.php, .ico.php). Compare against a clean WordPress install.
Users
Admin accounts created since February 2024 that you didn't create. Often with auto-generated usernames or throwaway emails.
Options
Newly-autoloaded wp_options rows — particularly anything with base64-encoded payloads or unfamiliar option names.

Pricing

Cleanup

$279

flat, one-time, per site

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup

Monitoring

$29 / mo

per site, cancel any time

Continuous monitoring, hardening, one cleanup per year included.

Get protected

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Email [email protected] or use the contact form.