We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Bricks WordPress Builder RCE Flaw Targeted by Hackers

Bricks WordPress Builder RCE Flaw Targeted by Hackers
Husain Parvez Published on 22nd February 2024 Cybersecurity Researcher

A critical vulnerability in the Bricks Builder theme for WordPress, tracked as CVE-2024-25600, has been actively exploited by hackers. The flaw, affecting over 25,000 websites, allows unauthenticated attackers to execute arbitrary PHP code on a site or server. It was discovered by a security researcher named Calvin Alkan and has since been reported to the Patchstack bug bounty program.

The vulnerability has been rated 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS), highlighting its severity. It stems from an eval function call in the 'prepare_query_vars_from_settings' function, which could potentially allow an unauthenticated user to execute arbitrary PHP code.

The issue was promptly addressed by the Bricks team, who released a security update on February 13 that patches the vulnerability. "We just released a mandatory security update with Bricks 1.9.6.1," the Bricks team announced.

Despite the quick response from the Bricks team, active exploitation of the vulnerability began on February 14, just a day after the patch was released. Attackers have been using the exploit to deploy malware that can disable security plugins like Wordfence and Sucuri, further compromising affected websites. Website administrators using the Bricks Builder theme are strongly advised to update to the latest version immediately to mitigate the risk of exploitation.

Even after updating, it is recommended to check for signs of compromise, as attackers may have exploited the vulnerability before the patch was applied.

This incident serves as a reminder of the ongoing threat posed by vulnerabilities in WordPress themes and plugins. We have highlighted previous incidents of WordPress plugins putting sites at risk, with as many as 200,000 websites affected in an incident last year. There is a critical need for website administrators to remain vigilant, regularly update their software, and implement robust security measures to protect against such threats.

About the Author

Husain Parvez is a Cybersecurity Researcher and News Writer at vpnMentor, focusing on VPN reviews, detailed how-to guides, and hands-on tutorials. Husain is also a part of the vpnMentor Cybersecurity News bulletin and loves covering the latest events in cyberspace and data privacy.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address