May 7, 2024
Important – if you encounter issues after updating, you should:
Breakdance 1.7.2 is a security update that addresses a vulnerability reported to us by security researcher Francesco Carlucci.
The issue we have addressed is a privilege escalation vulnerability that would allow a user with “contributor” or higher permissions to escalate their privileges to an admin (CVE-2024-4605). This issue impacts anyone that has granted untrusted users Contributor+ access to their WordPress website. It does not affect you if you do not have Contributor+ users on your WordPress website. This issue can only be exploited by a Contributor+ user.
Here’s a quick breakdown of the timeline (UTC−04:00) for this disclosure & patch:
If there are no non-admin users on your website a role of Contributor or higher, you are not vulnerable.
If you granted non-admin users on your site a role of Contributor or higher, you are impacted. You should upgrade to 1.7.2.
After installing 1.7.2, your site will attempt to automatically perform a migration step. In most cases, this will be a seamless process and your site will experience no downtime.
Possible issues you may experience if the migration fails are: some or all of your site going blank on the front-end, or appearing blank when you open Breakdance to edit some content.
If your site experiences issues after the update, here’s what you need to do:
If you continue to experience issues after following these steps, the issue is unlikely to be related to 1.7.2. Please email support@breakdance.com and our team will be happy to help.
If, for some reason, you need to downgrade to a version prior to 1.7.2, you will need to reverse the meta migration.
This can be done under Breakdance > Settings > Tools by clicking the “Undo Migrate Meta” button.
Once the migration has been reversed, you can then install Breakdance 1.7.1 or earlier. Don’t forget to clear all caches.
This specific issue is a great example of how the collaboration between software vendors and security researchers should be handled. Francesco Carlucci disclosed a real, valid vulnerability that could be impactful for some users. We worked with them to find a solution and implemented the solution.
A huge thank you goes out to Francesco Carlucci for bringing this to our attention. This proactive approach to web security is exactly what helps keep the internet a safer place for everyone. As a token of our gratitude, we’ve rewarded Francesco with $500 for the responsible disclosure.
Get maximum flexibility with unlimited licensing and domain activations.
Get your money back within 60 days of purchase, no questions asked. It's risk-free!
We offer premium support to ensure the ultimate customer experience.
For a limited time, we're offering an unlimited site license for just $199.99/year. Buy now to lock in this price.