// CVE-2024-25600 · UNAUTH RCE · BRICKS THEME
Bricks Builder RCE.
Cleaned.
Bricks Builder versions 1.0–1.9.6 had an unauthenticated RCE that was mass-exploited within 24 hours of disclosure. If your site ran an affected version, treat it as compromised until proven otherwise. We clean by hand. Flat $279.
§ 01 — WHAT THE BUG WAS
User input → eval(), no authentication.
Bricks Builder exposed a REST route that parsed user-supplied PHP expressions and ran them through eval(). The endpoint did not require authentication. Any unauthenticated visitor could execute arbitrary PHP on the server.
Affected: 1.0 through 1.9.6. Patched: 1.9.6.1, released February 13, 2024. The patch was a forced update for licensed installs, but anyone using a pirated copy or a stale cache got hit.
§ 02 — INDICATORS
What attackers leave behind.
[ ACCESS LOG ]
POSTs to /wp-json/bricks/v1/render_element with a 200 response. Common indicator: many such requests within minutes from a small set of IPs.
[ FILES ]
Fresh PHP in wp-content/uploads/ — frequently named to look mundane (cache.php, index.php, .ico.php). Compare against a clean WordPress install.
[ USERS ]
Admin accounts created since February 2024 that you didn't create. Often with auto-generated usernames or throwaway emails.
[ OPTIONS ]
Newly-autoloaded wp_options rows — particularly anything with base64-encoded payloads or unfamiliar option names.
§ PRICE
Flat $279. One-time. Per site.
[ RESCUE ]
$279
FORFAIT · UNIQUE · PAR SITE
Nettoyage manuel, identification du vecteur, rapport forensique écrit. Garantie de réinfection 30 jours.
Démarrer un nettoyage →[ SHIELD ]
$29 / mo
PAR SITE · RÉSILIATION À TOUT MOMENT
Surveillance continue, durcissement, un nettoyage par an inclus.
Se protéger →Site compromis ? Démarrer une mission.
Send us what you know. You get a triage and a fixed quote in return — no obligation.