Bricks Builder Plugin Bug Allows Remote Code Exec!

What’s Bricks Builder and Why Do So Many Use It?

Bricks Builder has become a favorite among WordPress users looking for a fast, flexible site-building experience. It’s a performance-first, visual page builder that gives you full control over design without adding unnecessary weight to your site. Instead of bloated code, it focuses on a clean, developer-friendly structure with features that appeal to both beginners and advanced users.

• Visual builder tools: Drag-and-drop interface that updates in real time.
• Custom responsive design: Support for unique breakpoints tailored to different devices.
• Dynamic content support: Easily integrates custom fields and dynamic values.
• Theme-building functions: Allows for full header, footer, archive, and single page customization.
• Developer-friendly interface: Built with performance, flexibility, and clean markup in mind.

Despite all these great features, one critical issue has recently come to light that could put every Bricks Builder-powered site at serious risk.

What’s the Deal With This Remote Code Execution Bug?

Security researchers uncovered a serious vulnerability in Bricks Builder that lets hackers run their own code on your WordPress site. This is known as a Remote Code Execution (RCE) bug, and it’s about as bad as it gets. It allows an attacker to take over your site completely—and in some cases, even your entire server.

• Bug source: The problem lies in how the plugin handles AJAX requests—particularly the bricks_save_post function.
• Main issue: The function didn’t properly check user roles or verify nonces, which are normally used to prevent unauthorized actions.
• Resulting flaw: Low-level users like subscribers could exploit this loophole to inject malicious PHP code.

Once that code is in, it runs like any other file on your server, meaning full access for the attacker.

Just How Bad Is This Vulnerability?

This RCE flaw is present in all Bricks Builder versions released before version 1.9.6. That includes any site built on older versions, whether custom-developed or run by agencies.

• Targeted versions: Any release before version 1.9.6.
• Scope of access: Attackers can do everything from adding admin accounts to uploading malware or altering existing files.
• Potential damage: Site defacement, stolen data, persistent backdoors, and even server-level control.

If your site lets users register accounts, even something as harmless as a subscriber role becomes a gateway for full compromise.

Key takeaway: Just one unpatched site could give an attacker total control using nothing more than a basic user account and a malicious request.

How Hackers Are Exploiting This Bug

This isn’t some complex, elite-level hack. It’s simple and effective—and that’s what makes it dangerous. Hackers can use a basic account and a few lines of code to gain full access.

• Create a new user account: Most WordPress sites allow subscriber-level registration.
• Send a crafted POST request: The attacker targets admin-ajax.php with a custom payload.
• Inject PHP into template data: That code then executes like it’s part of your theme or plugin.
• Take over the system: From there, it’s game over—admin privileges, malware uploads, or full server access.

Once exploited, the attacker could even hide their presence using obfuscated code or hidden files, making it harder to detect without a deep forensic check.

What’s Been Done So Far?

The Bricks Builder team acted quickly after being notified of the vulnerability. Within 48 hours, they released a fix and notified users.

• Fixed version: Bricks Builder 1.9.6.
• Patch coverage: The update blocks unauthorized access, validates user roles, and verifies all AJAX actions using proper nonce checks.
• User recommendation: All users should update immediately to 1.9.6 or later to stay protected.

If you’re not ready to update for some reason, you should take temporary protective measures such as limiting user registration and firewalling the admin-ajax.php endpoint.

Signs That Your Site Might Be Compromised

Not sure if your site was hit? There are several indicators that could point to a successful exploit. These signs don’t guarantee compromise but definitely warrant further inspection.

• Strange user activity: Unknown admin accounts showing up.
• Unusual files: PHP files suddenly appearing in wp-content/uploads/ or other public folders,
• Performance spikes: High CPU or bandwidth usage without traffic surges.
• Modified core files: Changes to functions.php, .htaccess, or wp-config.php without your knowledge.
• Server logs: Repeated access to admin-ajax.php from suspicious IPs.

To fully check your site, use security tools like WPScan or Wordfence. These can scan for known malware signatures and changes to critical files. You should also manually inspect modified timestamps on plugin and theme files.

How the Bricks Team Is Handling It

The Bricks Builder developers deserve credit for handling the issue quickly and transparently. They didn’t try to downplay the severity and immediately released a patch with proper safeguards.

• Public advisory: Posted shortly after patch release with clear mitigation instructions.
• Security-first roadmap: Future releases will include more code review steps, automated testing for permissions, and improved handling of user input.
• Bug reporting channel: Opened a secure channel for researchers to disclose vulnerabilities moving forward.

This type of response builds trust—and it’s a good reminder that no plugin is perfect, but developer accountability makes a big difference.

What WordPress Users Should Learn From This

This bug serves as a serious reminder to everyone using WordPress: even well-built plugins can introduce huge security risks if not properly audited or maintained. It’s not just about keeping WordPress core updated—you need to stay on top of your plugin stack too.

• Control user roles: Limit editing and publishing capabilities to trusted users only.
• Disable open registration: Unless it’s essential, stop allowing anyone to create an account.
• Use security tools: Firewalls, malware scanners, and monitoring tools can catch threats early.
• Update regularly: Never delay updates for plugins, especially when they include security patches.
• Scan and back up often: Maintain clean backups and perform file integrity checks routinely.

A site may look fine on the surface, but with a vulnerability like this, attackers could be operating quietly in the background.

Conclusion

The Bricks Builder RCE bug is a serious threat that impacted a widely-used WordPress plugin. Fortunately, the developers acted fast, and a fix is available in version 1.9.6. If you haven’t updated yet, do it now—then take a few minutes to inspect your site for signs of compromise and adjust your user permissions if needed.

Security should never be an afterthought. Whether you’re managing one site or fifty, staying up to date on plugin vulnerabilities is a critical part of running a safe, stable website.

Key takeaway: A serious vulnerability in Bricks Builder allowed attackers to run code remotely. Anyone using versions below 1.9.6 must update immediately and inspect their site for suspicious activity.

FAQs

Is Bricks Builder safe now?

Yes, as long as you’re using version 1.9.6 or later. The developers have patched the vulnerability and added proper checks to prevent unauthorized access.

Can someone hack my site without logging in?

No, this specific exploit requires a logged-in user—typically a subscriber—to send a malicious request. However, many WordPress sites allow open registration, which increases the risk.

What if my site has already been attacked?

You should scan your files, remove any unknown admin users, change all passwords, and restore from a clean backup if possible. Consider reinstalling WordPress core files to eliminate any hidden malware.

Where can I find my plugin version?

In your WordPress dashboard, go to Plugins > Installed Plugins > Bricks. Check that the version is 1.9.6 or higher—it’ll be listed under the plugin name.

Do I need to remove Bricks Builder entirely?

No, you don’t need to remove it. Just ensure it’s updated to the latest version. Also, use a security plugin and keep an eye on your logs for unusual behavior.