The bt_bb_get_grid AJAX action of the Bold Page Builder WordPress plugin before 3.1.6 passes user input into the unserialize() function without any validation or sanitisation, which could lead to a PHP Object Injection. Even though the plugin did not contain a suitable gadget to fully exploit the issue, other installed plugins on the blog could allow such issue to be exploited and lead to RCE in some cases.
CVE-2021-24579 is a high severity with CVSS 7.5 Vulnerability issue affecting the Plugin Bold Page Builder. It affects Versions up to 3.1.5 and is fixed in 3.1.6.
CVE-2021-24579 is tracked for the Plugin Bold Page Builder as high severity with CVSS 7.5. The affected range is Versions up to 3.1.5. Update Bold Page Builder to 3.1.6 or newer where that version is compatible with the site.
| Software Type | Plugin |
|---|---|
| Software Slug |
bold-page-builder
View on wordpress.org
|
| CVE | CVE-2021-24579 |
| Patched Versions |
3.1.6
|
| Affected Versions |
Versions up to 3.1.5
|
These internal links group the same WordPress plugin by CVE, issue type, severity, and patch status so operators and search engines can connect the full vulnerability cluster.
Bold Page Builder <= 2.3.1 - Missing Authorization to Settings Update
Bold Page Builder <= 5.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Bold Page Builder <= 5.5.3 - Authenticated (Author+) Stored DOM-based Cross-Site Scripting in Post Grid
Bold Builder <= 5.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_tabs Shortcode
Bold Page Builder <= 5.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_accordion_item Shortcode
Bold Page Builder <= 5.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Bold Page Builder <= 5.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Bold Page Builder <= 5.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via `percentage` Parameter
This record contains material that is subject to copyright
License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more
License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more
