First disclosed by security researcher Calvin Alkan of snicco, the vulnerability impacts all versions of Bricks Builder before version 1.9.6.1. Identified as a Remote Code Execution (RCE) flaw, it poses a critical security risk, allowing attackers to potentially gain unauthorized control over websites running on an affected version of Bricks.

What is Bricks?

Bricks or Bricks Builder is a visual site builder that allows users to create web pages on WordPress without using code through their drag-and-drop interface. Unlike other similar products in the WordPress ecosystem which deliver functionality through plugins, the Bricks Builder uses the theme functionality as it’s way of delivering features to users.

Understanding RCE Vulnerabilities

RCE vulnerabilities are among the most critical types of security flaws. They allow attackers to execute arbitrary code on a website from a remote location, allowing them to control the site, access confidential data, distribute malware, and more.

Timeline of the Patch

The vulnerability disclosure timeline is commendable for its efficiency. The flaw was reported to Bricks by security research team snicco on February 10, 2024, marking the start of a swift and effective response. Bricks acknowledged the issue on the same day and, by February 13, had released the patch (1.9.6.1) following snicco’s recommendations. 

Update Highly Recommended

Wordfence has labelled the severity of this vulnerability a 9.8 out of 10 while Patchstack has labelled it a 10 out 10, marking it a critical update for website owners using Bricks. Users are urged to update their installations immediately to protect their sites from potential exploits.

If you would like to learn more about how this security vulnerability was discovered, Calvin Alkan will be joining Remkus De Vries on his show for a discussion on this and other related security topics.