Breakdance 1.7.2 Now Available – Security Update

Important – if you encounter issues after updating, you should:

• Go to WP Admin > Breakdance > Settings > Tools and click Migrate Meta
• Clear your cache with your server / host / cache plugin

Breakdance 1.7.2 is a security update that addresses a vulnerability reported to us by security researcher Francesco Carlucci.

The issue we have addressed is a privilege escalation vulnerability that would allow a user with “contributor” or higher permissions to escalate their privileges to an admin (CVE-2024-4605). This issue impacts anyone that has granted untrusted users Contributor+ access to their WordPress website. It does not affect you if you do not have Contributor+ users on your WordPress website. This issue can only be exploited by a Contributor+ user.

Here’s a quick breakdown of the timeline (UTC−04:00) for this disclosure & patch:

• May 6th, 6:16 AM: Francesco reported the vulnerability to us.
• May 6th, 6:24 AM: We responded and immediately began workshopping solutions with Francesco, vetting the options to find the most effective and secure route.
• May 7th, 12:55 AM: 1.7.2 was sent to Francesco for verification.
• May 7th, 11:36 AM: Francesco verified the fix. We then did final testing.
• May 7th, 7:30 PM: 1.7.2 released, patching this vulnerability.

How To Know If You Are Impacted

If there are no non-admin users on your website a role of Contributor or higher, you are not vulnerable.

If you granted non-admin users on your site a role of Contributor or higher, you are impacted. You should upgrade to 1.7.2.

Updating To 1.7.2

After installing 1.7.2, your site will attempt to automatically perform a migration step. In most cases, this will be a seamless process and your site will experience no downtime.

Possible issues you may experience if the migration fails are: some or all of your site going blank on the front-end, or appearing blank when you open Breakdance to edit some content.

If your site experiences issues after the update, here’s what you need to do:

1. Go to Breakdance > Settings > Tools in the WordPress admin panel
2. Click the “Migrate Meta” button
3. CLEAR ALL CACHES

If you continue to experience issues after following these steps, the issue is unlikely to be related to 1.7.2. Please email support@breakdance.com and our team will be happy to help.

Downgrading to Previous Versions

If, for some reason, you need to downgrade to a version prior to 1.7.2, you will need to reverse the meta migration.

This can be done under Breakdance > Settings > Tools by clicking the “Undo Migrate Meta” button.

Once the migration has been reversed, you can then install Breakdance 1.7.1 or earlier. Don’t forget to clear all caches.

Other Notes

This specific issue is a great example of how the collaboration between software vendors and security researchers should be handled. Francesco Carlucci disclosed a real, valid vulnerability that could be impactful for some users. We worked with them to find a solution and implemented the solution.

A huge thank you goes out to Francesco Carlucci for bringing this to our attention. This proactive approach to web security is exactly what helps keep the internet a safer place for everyone. As a token of our gratitude, we’ve rewarded Francesco with $500 for the responsible disclosure.