Medium severity4.3NVD Advisory· Published Jun 22, 2024· Updated Apr 8, 2026

CVE-2024-4874

Description

The Bricks Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.8 via the postId parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify posts and pages created by other users including admins. As a requirement for this, an admin would have to enable access to the editor specifically for such a user or enable it for all users with a certain user account type.

Affected products

Bricksbuilder/Bricks
cpe:2.3:a:bricksbuilder:bricks:*:*:*:*:*:wordpress:*:*
Range: <1.9.9

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.wordfence.com/threat-intel/vulnerabilities/id/6d63e898-43e5-42b5-96b6-1453352e0caenvdThird Party Advisory
bricksbuilder.io/release/bricks-1-9-9/nvdRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000