Cyber Resilience

CVE-2022-3401

High

Published: 28 October 2022

Published
28 October 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0655 91.3th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-3401 is a high-severity an unspecified weakness vulnerability in Bricksbuilder Bricks. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Bricks theme for WordPress versions 1.2 through 1.5.3 contains a remote code execution vulnerability that stems from the theme permitting site editors to embed executable code blocks directly in website content. This issue is compounded by a separate missing authorization flaw tracked as CVE-2022-3400, resulting in a CVSS 3.1 score of 8.8 that reflects high impact on confidentiality, integrity, and availability.

Authenticated attackers holding minimal privileges, such as the subscriber role, can exploit the combination of flaws to edit arbitrary pages, posts, or templates on an affected site and insert a code execution block that achieves remote code execution.

Public advisories from Wordfence and the vendor at bricksbuilder.io address the issue and are referenced in the CVE record.

EPSS for the vulnerability reached a peak of 0.1085 after disclosure before receding to the current value of 0.0655.

EU & UK References

Vulnerability details

The Bricks theme for WordPress is vulnerable to remote code execution due to the theme allowing site editors to include executable code blocks in website content in versions 1.2 to 1.5.3. This, combined with the missing authorization vulnerability (CVE-2022-3400), makes…

more

it possible for authenticated attackers with minimal permissions, such as a subscriber, can edit any page, post, or template on the vulnerable WordPress website and inject a code execution block that can be used to achieve remote code execution.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

bricksbuilder
bricks
1.2 — 1.5.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References