CVE-2024-4874 MEDIUM

CVE-2024-4874: Bricks Builder <= 1.9.8 - Insecure Direct Object Reference

Vendor Bricksbuilder
Product Bricks Builder
Weakness CWE-639 · IDOR
Published June 22, 2024
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Bricks Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.8 via the postId parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify posts and pages created by other users including admins. As a requirement for this, an admin would have to enable access to the editor specifically for such a user or enable it for all users with a certain user account type.

Key dates

02Disclosure timeline

June 22, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE