CVE-2024-4605: 
WordPress vulnerability analysis and mitigation

The Breakdance plugin for WordPress contains a Remote Code Execution vulnerability (CVE-2024-4605) affecting all versions up to and including 1.7.1. The vulnerability was discovered on May 6th, 2024, by security researcher Francesco Carlucci and was patched in version 1.7.2 released on May 7th, 2024. This vulnerability affects WordPress installations with the Breakdance plugin that have users with Contributor or higher permissions (Breakdance Blog).

The vulnerability stems from the plugin storing custom data in metadata without an underscore prefix, which allows lower privileged users (Contributor level and above) to edit this data through the user interface. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows users with Contributor or higher permissions to escalate their privileges to administrator level and potentially execute arbitrary code on the affected system. This could lead to complete site compromise if exploited (Breakdance Blog).

The vulnerability has been patched in Breakdance version 1.7.2. Users should immediately update to this version. After updating, users should go to WP Admin > Breakdance > Settings > Tools and click Migrate Meta, followed by clearing their cache with their server/host/cache plugin. If issues persist after updating, users can contact support@breakdance.com for assistance (Breakdance Blog).

The vulnerability was responsibly disclosed by security researcher Francesco Carlucci, who was awarded a $500 bounty for the discovery. The vendor responded quickly, developing and releasing a patch within approximately 37 hours of the initial report (Breakdance Blog).