{"id":396,"slug":"bricks-cve-2024-25600-exploited-24h","title":"Bricks CVE-2024-25600: unauthenticated RCE (CVSS 10) — exploited in the wild ~24 hours after patch release","kind":"reference","scope":"business","status":"current","audiences":["claude-code","dev","candid-team"],"topics":["wordpress","security-vulnerabilities","page-builders"],"reference_body":"**Claim:** Bricks Builder ≤ 1.9.6 contained an **unauthenticated remote code execution** vulnerability (CVE-2024-25600), CVSS **10.0**. Patchstack disclosure:\n\n> \"[Allows] any unauthenticated user to execute arbitrary PHP code on the WordPress site.\"\n\nPatch 1.9.6.1 shipped **February 13, 2024**. Active exploitation in the wild detected from **February 14, 2024** — approximately **one day** after patch availability.\n\n**Source:** <https://patchstack.com/articles/critical-rce-patched-in-bricks-builder-theme/>\n\n**Confidence:** Verified.\n\n**The \"page builders are the highest-value attack surface\" thesis in one CVE.** Bricks runs on tens of thousands of sites; an unauthenticated RCE means anyone on the internet could execute PHP as the web user. Attackers had patch-diff exploits live within 24 hours of disclosure. **Page builders are by code volume one of the largest plugins on a typical site — their attack surface scales accordingly.**\n\nPatchstack 2026 (Feb 25, 2026): 11,334 new vulnerabilities in the WP ecosystem in 2025 (+42% YoY); 91% in plugins; **weighted median time to first exploit: 5 hours**; 46% had no patch at disclosure.","rationale_body":null,"metadata":null,"links":{"outgoing":[{"slug":"patchstack-2024-vuln-disclosure-4166-96pct-plugins","title":"Patchstack 2024: 4,166 new vulnerabilities, 96% in plugins, 4% in themes, only 7 in core","kind":"reference","scope":"business","link_type":"depends-on"},{"slug":"wordfence-2024-attack-volume-54b-requests","title":"Wordfence 2024: 54 billion malicious requests blocked, ~325-350k sites infected on any given day","kind":"reference","scope":"business","link_type":"relates-to"}],"incoming":[{"slug":"page-builder-cost-catalogue","title":"Reference: what page builders cost a small-business site — 10 categories ranked by long-term impact","kind":"reference","scope":"business","link_type":"depends-on"},{"slug":"rule-stop-quoting-page-builders-as-default-for-new-builds","title":"RULE: Stop quoting Elementor / Divi / WPBakery as the default for new Candid client builds. Block themes lead the pricing menu.","kind":"rule","scope":"business","link_type":"depends-on"},{"slug":"research-brief-case-against-page-builders","title":"Research brief: The Case Against Page Builders (piece 10 of 15)","kind":"reference","scope":"business","link_type":"relates-to"}]},"created_at":"2026-05-22T20:21:39.863Z","updated_at":"2026-05-22T20:21:39.863Z"}