CVE-2022-3400: Bricks Theme for WordPress Authorization Bypass Vulnerability (Versions 1. - 1.5.3) and Exploit Details

Hello everyone!
Today, we're going to discuss a new vulnerability affecting the Bricks theme for WordPress, which has been assigned the ID CVE-2022-3400. We will go through the details of this vulnerability, the affected code snippet, and original references on how to fix it. Moreover, we will talk about the exploit details and how an attacker may take advantage of this flaw in affected versions of the Bricks theme.

Vulnerability Overview

The Bricks theme for WordPress versions 1. to 1.5.3 was found to be vulnerable to an authorization bypass due to a missing capability check on the bricks_save_post AJAX action. As a result, authenticated attackers with minimal permissions, like a subscriber, can edit any page, post, or template on the impacted WordPress website.

Code Snippet

In the affected code snippet, we can see that there's no capability check validates the user's permission level before saving the page, post, or template.

function bricks_save_post() {
  if ( isset( $_POST['post_id'] ) && isset( $_POST['bricks_inner_blocks'] ) ) {
    $post_id = intval( $_POST['post_id'] );
    $bricks_inner_blocks = stripslashes( $_POST['bricks_inner_blocks'] );

    update_post_meta( $post_id, 'bricks_inner_blocks', $bricks_inner_blocks );
  }
}
add_action( 'wp_ajax_bricks_save_post', 'bricks_save_post' );

Exploit Details

For a successful exploit, the attacker must be authenticated with minimal permissions (e.g., as a subscriber). Once logged in, an attacker can craft a malicious request to the server using the bricks_save_post AJAX action, including the desired post_id, and proceed to edit any page, post, or template without the required authorization.

POST /wp-admin/admin-ajax.php?action=bricks_save_post HTTP/1.1
Host: target-wordpress-site.com
Content-Type: application/x-www-form-urlencoded

post_id=TARGET_POST_ID&bricks_inner_blocks=MALICIOUS_CONTENT

By exploiting this vulnerability, a malicious user can insert phishing content, injected code, or any other undesired content into the affected WordPress site. This may lead to severe consequences like loss of trust, defacement, or further compromise of the site.

Links to Original References

The vulnerability has been reported in the CVE database with the ID CVE-2022-3400.

_CVE Details:_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3400

Furthermore, the developers of the Bricks theme have released version 1.6, which fixes the vulnerability by implementing a capability check as seen below:

function bricks_save_post() {
  if ( isset( $_POST['post_id'] ) && isset( $_POST['bricks_inner_blocks'] ) ) {
    $post_id = intval( $_POST['post_id'] );

    // Check capability and nonce
    if ( ! current_user_can( 'edit_post', $post_id ) || ! wp_verify_nonce( $_POST['nonce'], 'bricks_nonce' ) ) {
      return;
    }

    $bricks_inner_blocks = stripslashes( $_POST['bricks_inner_blocks'] );
    update_post_meta( $post_id, 'bricks_inner_blocks', $bricks_inner_blocks );
  }
}
add_action( 'wp_ajax_bricks_save_post', 'bricks_save_post' );

_Theme Developer's Release Notes:_ https://bricksbuilder.io/changelog/

To protect your WordPress site, it's strongly recommended to update the Bricks theme to the latest version 1.6. Additionally, make sure to enforce strong authentication mechanisms and restrict the permissions of your WordPress users to further secure your website against unauthorized access.

I hope this detailed information will be helpful for all those who want to understand CVE-2022-3400 vulnerability and take necessary actions to secure their WordPress sites using the Bricks theme. Stay safe, and happy coding!

Timeline

Published on: 10/28/2022 17:15:00 UTC
Last modified on: 10/28/2022 18:52:00 UTC