CVE-2024-4605

HIGH

Breakdance < 1.7.1 - Remote Code Execution via Post Meta Data

Title source: llm

Description

The Breakdance plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.7.1 via post meta data. This is due to the plugin storing custom data in metadata without an underscore prefix. This makes it possible for lower privileged users, such as contributors, to edit this data via UI. As a result they can escalate their privileges or execute arbitrary code.

References (2)

Core 2

Core References

Various Sources

https://breakdance.com/breakdance-1-7-2-now-available-security-update/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/095b23b7-71ab-41eb-b666-73df2e1a7eb4?source=cve

Scores

CVSS v3 8.8

EPSS 0.0090

EPSS Percentile 55.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

Breakdance/Breakdance < 1.7.1

Published May 14, 2024

Tracked Since Feb 18, 2026