April 30, 2024
Breakdance 1.7.1 is a security update that addresses a vulnerability reported to us by WordFence, disclosed to them by security researcher Francesco Carlucci.
The issue we have addressed is classed as an Authenticated (Contributor+) Stored Cross-Site Scripting (XSS) vulnerability. In simpler terms, this means those who you granted permission to create and edit posts could put HTML or JS code in those posts, and that HTML or JS code would be output on the frontend of your site.
After being notified, we immediately began working with the WordFence team to come up with an ideal solution. The goal was to keep Breakdance’s expected functionality intact, while adding an extra layer of security for users who might be susceptible to this vulnerability.
The WordFence team proposed a fantastic solution which we vetted, approved, and implemented immediately once we were sure it would work. We submitted our implementation and they quickly confirmed that the changes eliminate the reported vulnerability.
You must have done two things for you to be impacted:
1. You let non-administrators create or edit posts or custom fields
2. You then embed that data on the front-end of your site using Breakdance’s dynamic data capabilities
If you have done both of those things, a non-admin could insert HTML or JavaScript into the front-end of your site, which is a vulnerability and shouldn’t be permitted.
If you haven’t done both of those things, you aren’t impacted. If only administrators have the ability to create or edit posts and custom field data, or if you’re not using the dynamic data capabilities of Breakdance on the front-end of your site, this issue does not impact you.
In Breakdance 1.7.1, any dynamic data from users without the unfiltered_html capability will be filtered by default before it’s displayed on your site.
For those who need more control, we’ve included an option to bypass this filter in Breakdance’s settings under the Advanced tab. This allows you to maintain the functionality you need.
This specific issue is a great example of how the collaboration between software vendors and security researchers should be handled. WordFence (and Francesco) disclosed a real, valid vulnerability that could be impactful for some users. We worked with them to find a solution and implemented the solution.
We hope that more security researchers and security vendors look to teams like WordFence and people like Francesco as great examples of how to make a real, measurable difference in the WordPress security space.
A huge thank you goes out to Francesco Carlucci for bringing this to our attention. Their proactive approach to web security is exactly what helps keep the internet a safer place for everyone. As a token of our gratitude, we’ve rewarded Francesco with $500 for the responsible disclosure.
Get maximum flexibility with unlimited licensing and domain activations.
Get your money back within 60 days of purchase, no questions asked. It's risk-free!
We offer premium support to ensure the ultimate customer experience.
For a limited time, we're offering an unlimited site license for just $299.99/year. Buy now to lock in this price.
