H3-2026-0043¶

Bricks Builder Anonymous Authorization Bypass


Category	`VULNERABILITY`
Base Score	`5.3`

Description¶

The WordPress Bricks Builder theme exposes the /wp-json/bricks/v1/query_result REST endpoint, which runs WP_Query with caller-supplied originalQueryVars without enforcing the caller's capabilities. Combined with the anonymous-callable bricks_regenerate_query_nonce admin-ajax action, an unauthenticated attacker can enumerate posts in any status including draft, private, pending, future, and trash.

Impact¶

An attacker can enumerate non-public WordPress posts including drafts, private posts, and trashed content, without authentication. This might expose sensitive unpublished content, internal communications, or staged announcements before their intended publication date.

References¶

CWE-285: Improper Authorization