CVE-2024-4874

Name of the Vulnerable Software and Affected Versions The Bricks Builder plugin for WordPress versions up to, and including, 1.9.8

Description The issue allows authenticated attackers with Contributor-level access and above to modify posts and pages created by other users, including admins, due to missing validation on a user-controlled key via the postId parameter. This is possible if an admin enables access to the editor specifically for such a user or enables it for all users with a certain user account type.

Recommendations For The Bricks Builder plugin for WordPress versions up to, and including, 1.9.8: Update to a version later than 1.9.8 to resolve the issue. As a temporary workaround, consider restricting access to the editor for users with Contributor-level access and above to minimize the risk of exploitation. Ensure user roles are tightly controlled to prevent unauthorized modifications.