CVE-2021-24579: 
WordPress vulnerability analysis and mitigation

The Bold Page Builder WordPress plugin before version 3.1.6 contained a PHP Object Injection vulnerability (CVE-2021-24579) discovered in August 2021. The vulnerability exists in the btbbget_grid AJAX action which processes user input through the unserialize() function without proper validation or sanitization (WPScan Advisory).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 base score of 8.8 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue occurs in the AJAX action btbbget_grid where user input is passed directly to PHP's unserialize() function. While the plugin itself didn't contain a suitable gadget chain for exploitation, other installed plugins could potentially provide the necessary components for Remote Code Execution (NVD, WPScan Advisory).

Although the plugin itself lacks a suitable gadget chain for full exploitation, when combined with other installed plugins, this vulnerability could potentially lead to Remote Code Execution (RCE) in some cases. The vulnerability affects the confidentiality, integrity, and availability of the system as indicated by the high CVSS scores in all these categories (WPScan Advisory).

The vulnerability was fixed in version 3.1.6 of the Bold Page Builder plugin. Users should update to this version or later to mitigate the risk (WPScan Advisory).