WordPress Brikk theme <= 3.0.0 - Arbitrary Content Deletion vulnerability

Vulnerability

The Brikk WordPress theme, versions 3.0.0 and earlier, contains an arbitrary content deletion vulnerability. The flaw allows any authenticated user with a subscriber-level account to delete arbitrary content, such as posts, pages, and media files, without requiring additional permissions or checks [1].

Exploitation

An attacker needs only a valid subscriber account on the target WordPress site. No special privileges or nonce bypasses are required according to the advisory. The attacker can send crafted requests to delete any post, page, or media item, regardless of ownership or intended permissions [1].

Impact

Successful exploitation leads to unauthorized deletion of arbitrary site content. An attacker can delete critical pages, published posts, images, or other media, causing loss of content, defacement, or disruption of site functionality. The vulnerability is rated with a CVSS score of 7.5 (High) and is expected to be used in mass exploitation campaigns [1].

Mitigation

Update the theme to a patched version. The advisory from Patchstack recommends immediate action; if no official patch is yet available, disconnect the theme from all sites, restrict subscriber registration, or use a web application firewall to block malicious requests. The vulnerability is expected to be included in mass-scanning toolkits [1].