CVE-2021-24579
📋 TL;DR
This vulnerability in the Bold Page Builder WordPress plugin allows attackers to perform PHP Object Injection via AJAX requests. Attackers could potentially achieve remote code execution by chaining this vulnerability with other plugins' gadgets. WordPress sites using affected plugin versions are at risk.
💻 Affected Systems
- Bold Page Builder WordPress plugin
📦 What is this software?
Bold Page Builder by Bold Themes
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete site compromise, data theft, malware installation, or site defacement.
Likely Case
PHP object injection that could be leveraged for privilege escalation, data manipulation, or further exploitation with other vulnerable plugins.
If Mitigated
Limited impact if no suitable gadget chains exist in other installed plugins, though object injection still poses risk.
🎯 Exploit Status
Exploit requires finding suitable gadget chains in other installed plugins. WPScan has published technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.6
Vendor Advisory: https://wpscan.com/vulnerability/08edce3f-2746-4886-8439-76e44ec76fa8
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Bold Page Builder. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.1.6+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the bt_bb_get_grid AJAX action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_bt_bb_get_grid', 'bt_bb_get_grid_callback'); remove_action('wp_ajax_nopriv_bt_bb_get_grid', 'bt_bb_get_grid_callback');
Disable plugin
linuxTemporarily disable Bold Page Builder plugin until patched
wp plugin deactivate bold-page-builder
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to wp-admin/admin-ajax.php with suspicious unserialize patterns
- Restrict access to wp-admin/admin-ajax.php endpoint using IP whitelisting or authentication requirements
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If Bold Page Builder version is below 3.1.6, it's vulnerable.Check Version:
wp plugin get bold-page-builder --field=versionVerify Fix Applied:
Confirm plugin version is 3.1.6 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=bt_bb_get_grid
- PHP unserialize errors in web server logs
- Suspicious serialized data in request parameters
Network Indicators:
- HTTP POST requests to admin-ajax.php with serialized objects in parameters
- Unusual outbound connections from web server post-exploitation
SIEM Query:
web.url: "*/wp-admin/admin-ajax.php*" AND web.query: "*action=bt_bb_get_grid*" AND (web.query: "*O:*" OR web.query: "*a:*" OR web.query: "*s:*")