Bricks CVE-2024-25600: unauthenticated RCE (CVSS 10) — exploited in the wild ~24 hours after patch release
Claim: Bricks Builder ≤ 1.9.6 contained an unauthenticated remote code execution vulnerability (CVE-2024-25600), CVSS 10.0. Patchstack disclosure:
"[Allows] any unauthenticated user to execute arbitrary PHP code on the WordPress site."
Patch 1.9.6.1 shipped February 13, 2024. Active exploitation in the wild detected from February 14, 2024 — approximately one day after patch availability.
Source: https://patchstack.com/articles/critical-rce-patched-in-bricks-builder-theme/
Confidence: Verified.
The "page builders are the highest-value attack surface" thesis in one CVE. Bricks runs on tens of thousands of sites; an unauthenticated RCE means anyone on the internet could execute PHP as the web user. Attackers had patch-diff exploits live within 24 hours of disclosure. Page builders are by code volume one of the largest plugins on a typical site — their attack surface scales accordingly.
Patchstack 2026 (Feb 25, 2026): 11,334 new vulnerabilities in the WP ecosystem in 2025 (+42% YoY); 91% in plugins; weighted median time to first exploit: 5 hours; 46% had no patch at disclosure.
Depends on
Referenced by (3)
- reference Reference: what page builders cost a small-business site — 10 categories ranked by long-term impact depends-on
- rule RULE: Stop quoting Elementor / Divi / WPBakery as the default for new Candid client builds. Block themes lead the pricing menu. depends-on
- reference Research brief: The Case Against Page Builders (piece 10 of 15) relates-to