Bricks Visual Site Builder for WordPress recently patched a critical severity vulnerability with a rating of 9.8/10 that is currently being actively exploited.
Brick builder
Bricks Builder is a popular WordPress development theme that makes it easy to build attractive, fast-performing websites in hours that would cost up to $20,000 in development time without it. Ease of use and developer components for CSS have made it a popular choice for developers.
Unauthenticated RCE Vulnerability
Bricks Builder is affected by a remote code execution (RCE) vulnerability. It has a score of 9.8/10 on the Common Vulnerability Scoring System (CVSS), which is almost the highest level.
What makes this vulnerability particularly bad is that it is an unauthenticated vulnerability, which means that a hacker does not need to obtain permission credentials to exploit the vulnerability. Any hacker who knows about the vulnerability can exploit it, which in this case means an attacker can execute code.
Wordfence describe what can happen:
“This makes it possible for unauthenticated attackers to execute code on the server.”
The details of the vulnerability have not been officially released.
According to the official Bricks Builder change log:
“We just released a mandatory security update with Bricks 1.9.6.1.
A leading security expert in the WordPress space just brought this vulnerability to our attention and we immediately got to work, providing you with a verified patch now.
At the time of this release, there is no evidence that this vulnerability has been exploited. However, the potential for exploitation increases the longer the update to 1.9.6.1 is delayed.
We recommend that you update all of your Bricks sites immediately.”
The vulnerability is being actively exploited
According to Adam J. Humphreys (LinkedIn), founder of web development company Making 8, the vulnerability is being actively exploited. The Bricks Builder Facebook community is said to be responding to affected users with information on how to recover from the vulnerability.
Adam J. Humphrey commented on SEJ:
“Everybody’s getting it wrong. Host people without good security were exploited. A lot of people are dealing with it now. It’s a bloodbath and it’s the number one ranked builder.
I have strong security. I am very happy to be very protective of customers. Everything seemed over the top until that.
People on hosts without good security were exploited.
SiteGround when installed has WordPress security. They also have a CDN and easy migrations with their plugin. I have found their support more responsive than more expensive hosts. SiteGround’s WordPress security plugin is good, but I also combine it with Wordfence because protection never hurts.”
Recommendations:
All Bricks Builder users are encouraged to upgrade to the latest version, 1.9.6.1.
Bricks Builder’s changelog announcement reports:
“Update now: Update all your Bricks sites to the latest Bricks 1.9.6.1 as soon as possible. But at least within the next 24 hours. The sooner the better.
Backup Caution: If you use website backups, remember that they may contain an older and vulnerable version of Bricks. Restoring from these backups may reintroduce the vulnerability. Please update your backups to the secure version 1.9.6.1″.
This is a developing event, more information will be added as it becomes known.
[ad_2]
Source link
