Bricks Visual Site Builder for WordPress recently addressed a critical vulnerability with a severity rating of 9.8/10 that is currently being exploited.
## Bricks Builder
Bricks Builder is a popular WordPress development theme that enables users to create attractive and high-performing websites in a fraction of the time and cost it would take to develop them from scratch. Its ease of use and developer-friendly CSS components have made it a favored choice among developers.
## Unauthenticated RCE Vulnerability
Bricks Builder is affected by a remote code execution (RCE) vulnerability, rated 9.8/10 on the Common Vulnerability Scoring System (CVSS). This high rating reflects the near-maximum severity of the issue. The vulnerability is particularly concerning because it is unauthenticated, meaning that hackers do not need permission credentials to exploit it. An attacker who knows of the vulnerability could potentially execute code on the server.
Wordfence describes the situation:
> “This makes it possible for unauthenticated attackers to execute code on the server.”
The specific details of the vulnerability have not been disclosed.
According to the official Bricks Builder changelog:
> “We just released a mandatory security update with Bricks 1.9.6.1.
>
> A leading security expert in the WordPress space just brought this vulnerability to our attention, and we instantly got to work, providing you now with a verified patch.
>
> As of the time of this release, there’s no evidence that this vulnerability has been exploited. However, the potential for exploitation increases the longer the update to 1.9.6.1 is delayed.
>
> We advise you to update all your Bricks sites immediately.”
## Vulnerability Is Being Actively Exploited
Adam J. Humphreys, founder of the web development company Making 8, confirms that the vulnerability is actively being exploited. The Bricks Builder Facebook community is aiding affected users with recovery information.
Adam J. Humphrey commented:
> “Everyone is getting hit bad. People on hosts without good security got exploited. A lot of people are dealing with it now. It’s a bloodbath and it’s the number one rated builder.
>
> I have strong security. I’m so glad that I’m very protective of clients. It all seemed overkill until this.
>
> People on hosts without good security got exploited.
>
> SiteGround when installed has WordPress security. They also have a CDN and easy migrations with their plugin. I’ve found their support more responsive than the most expensive hosts. The WordPress security plugin at SiteGround is good but I also combine this with Wordfence because protection never hurts.”
## Recommendations
All Bricks Builder users are strongly encouraged to update to the latest version, 1.9.6.1. The Bricks Builder changelog announcement advises:
> “Update Now: Update all your Bricks sites to the latest Bricks 1.9.6.1 as soon as possible. But at least within the next 24 hours. The earlier, the better.
>
> Backup Caution: If you use website backups, remember they may include an older, vulnerable version of Bricks. Restoring from these backups can reintroduce the vulnerability. Please update your backups with the secure 1.9.6.1 version.”
This is an ongoing situation, and more information will be provided as it becomes available.
