CVE-2021-24579

Bold Page Builder < 3.1.6 - PHP Object Injection

EPSS 8.2%CWE-502

Vexday Risk Score

3Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS —EPSS 8.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

30 ago 2021Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

The bt_bb_get_grid AJAX action of the Bold Page Builder WordPress plugin before 3.1.6 passes user input into the unserialize() function without any validation or sanitisation, which could lead to a PHP Object Injection. Even though the plugin did not contain a suitable gadget to fully exploit the issue, other installed plugins on the blog could allow such issue to be exploited and lead to RCE in some cases.

Produtos afetados

Unknown · Bold Page Builder

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://wpscan.com/vulnerability/08edce3f-2746-4886-8439-76e44ec76fa8