CVE-2021-24579

Bold Page Builder < 3.1.6 - PHP Object Injection

EPSS 8.2%CWE-502

Vexday Risk Score

3Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS —EPSS 8.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

30 ago 2021Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

The bt_bb_get_grid AJAX action of the Bold Page Builder WordPress plugin before 3.1.6 passes user input into the unserialize() function without any validation or sanitisation, which could lead to a PHP Object Injection. Even though the plugin did not contain a suitable gadget to fully exploit the issue, other installed plugins on the blog could allow such issue to be exploited and lead to RCE in some cases.

Productos afectados

Unknown · Bold Page Builder

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://wpscan.com/vulnerability/08edce3f-2746-4886-8439-76e44ec76fa8