Gold Penguin Logo with Text

Bricks Builder Pushes Critical Security Update to Patch Remote Code Execution Vulnerability

Bricks Builder just released an urgent security patch to fix a critical remote code execution vulnerability that could allow hackers to take control of Bricks-powered websites if exploited.
Updated March 14, 2024

Popular WordPress theme builder Bricks Builder has released an urgent security update patching a critical remote code execution (RCE) vulnerability in its platform.

The vulnerability could allow attackers to execute arbitrary PHP code on Bricks-powered websites. If exploited, this would effectively hand control of the site over to hackers.

The Bricks team was alerted to the issue by a prominent WordPress security expert and immediately prepared patch 1.9.6.1. The company is strongly advising all users to install the update within 24 hours to protect their sites.

While there is no evidence this flaw has been actively exploited yet, the window of exposure grows the longer users delay updating. Bricks is being abundantly cautious in its handling of the issue. The update can be installed via the WordPress dashboard like a normal plugin update.

Users are warned that restoring backups could reintroduce the vulnerable code if they predate 1.9.6.1.

User Feedback on the Update Process

The security update prompted discussion within the Bricks Facebook community group as users worked to understand the issue and update their sites.

Several users expressed appreciation for the urgent, transparent communication from Thomas Ehrig. However, some questions lingered around the specifics of the vulnerability itself and what versions were affected.

A few users also reported minor technical issues that temporarily hindered smooth updating for some. This included inconsistencies with update notifications in the WordPress dashboard and challenges downloading the patch file manually.

The Technical Stuff

Rick Tibbe, an active member of the Bricks Facebook community group, helped clarify details around the vulnerability itself. Tibbe explained that the RCE flaw stems specifically from Bricks' integration of AJAX calls to support dynamic content updates.

The AJAX integration opened a backdoor that could enable remote code execution if targeted by attackers specifically looking to exploit Bricks sites. He speculated the vulnerability may have flown under the radar simply because Bricks isn't as high-profile a target as mainstream WordPress plugins.

Tibbe also reiterated this is a critical threat for any Bricks users not yet updated to 1.9.6.1, as site takeovers could still be possible. At the same time, he agreed there is no evidence this flaw has been exploited at scale in the wild. For any users struggling with manual downloads or update errors, he advised opening support tickets so the Bricks team can investigate and assist.

March 14th Further Updates and Security Enhancements

On March 14, 2024, the Bricks team sent out another email to users with an update on the security situation and additional changes introduced in versions 1.9.7 and 1.9.7.1.

The Bricks team explained that the 1.9.6.1 update was an immediate fix for the reported vulnerability, but they have since conducted a thorough review of their entire codebase. This led to the development of version 1.9.7, which introduced several new security features and improvements.

Key changes in Bricks 1.9.7 and 1.9.7.1 include:

  1. Code execution is now disabled by default and must be explicitly enabled by users.
  2. A new code signature feature ensures that only trusted, unaltered code can be executed.
  3. A code review tool allows users to inspect all executable code and dynamic "echo" tags on their site.
  4. Functions used in dynamic "echo" tags must now be whitelisted via a new filter.

The Bricks team acknowledged these changes may be disruptive for some users but emphasized they are necessary to ensure the highest security standards moving forward.

They provided a detailed update checklist for users to follow when updating to 1.9.7 or 1.9.7.1. The checklist includes performing a full site backup, enabling code execution if needed, generating code signatures, and adding approved functions for "echo" tags.

While these updates require some extra steps and adjustments from users, they demonstrate Bricks' commitment to proactively addressing security concerns and fortifying the platform against potential vulnerabilities.

As always, users are encouraged to update promptly and contact the Bricks support team with any questions or issues. They seem to be pretty upfront about what's going on.

Want To Learn Even More?
If you enjoyed this article, subscribe to our free monthly newsletter
where we share tips & tricks on how to use tech & AI to grow and optimize your business, career, and life.
Written by Justin Gluska
Justin is the founder of Gold Penguin, a business technology blog that helps people start, grow, and scale their business using AI. The world is changing and he believes it's best to make use of the new technology that is starting to change the world. If it can help you make more money or save you time, he'll write about it!
Subscribe
Notify of
guest

1 Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Join Our Newsletter!
If you enjoyed this article, subscribe to our newsletter where we share tips & tricks on how to make use of some incredible AI tools that you can use to grow and optimize a business
magnifiercross