CVE-2021-24579
HIGHBold Page Builder < 3.1.6 - PHP Object Injection via bt_bb_get_grid AJAX Action
Title source: llmDescription
The bt_bb_get_grid AJAX action of the Bold Page Builder WordPress plugin before 3.1.6 passes user input into the unserialize() function without any validation or sanitisation, which could lead to a PHP Object Injection. Even though the plugin did not contain a suitable gadget to fully exploit the issue, other installed plugins on the blog could allow such issue to be exploited and lead to RCE in some cases.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/08edce3f-2746-4886-8439-76e44ec76fa8
Scores
CVSS v3
8.8
EPSS
0.0822
EPSS Percentile
94.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (1)
bold-themes/bold_page_builder
< 3.1.6
Published
Aug 30, 2021
Tracked Since
Feb 18, 2026