CVE-2022-3401
Published: 28 October 2022
Summary
CVE-2022-3401 is a high-severity an unspecified weakness vulnerability in Bricksbuilder Bricks. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Bricks theme for WordPress versions 1.2 through 1.5.3 contains a remote code execution vulnerability that stems from the theme permitting site editors to embed executable code blocks directly in website content. This issue is compounded by a separate missing authorization flaw tracked as CVE-2022-3400, resulting in a CVSS 3.1 score of 8.8 that reflects high impact on confidentiality, integrity, and availability.
Authenticated attackers holding minimal privileges, such as the subscriber role, can exploit the combination of flaws to edit arbitrary pages, posts, or templates on an affected site and insert a code execution block that achieves remote code execution.
Public advisories from Wordfence and the vendor at bricksbuilder.io address the issue and are referenced in the CVE record.
EPSS for the vulnerability reached a peak of 0.1085 after disclosure before receding to the current value of 0.0655.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-42778
Vulnerability details
The Bricks theme for WordPress is vulnerable to remote code execution due to the theme allowing site editors to include executable code blocks in website content in versions 1.2 to 1.5.3. This, combined with the missing authorization vulnerability (CVE-2022-3400), makes…
more
it possible for authenticated attackers with minimal permissions, such as a subscriber, can edit any page, post, or template on the vulnerable WordPress website and inject a code execution block that can be used to achieve remote code execution.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.