Breakdance 2.6.1 – Security Update

Breakdance 2.6.1 is now available. This release contains a security update, as well as fixes for issues related to Breakdance 2.6.

Security Update

This release fixes a privilege escalation vulnerability where users with the edit_users capability could modify their own Breakdance Builder Access permissions, allowing them to grant themselves full builder access without administrator approval.

By default, WordPress grants the edit_users capability only to Administrators. However, some plugins allow edit_users to be granted to non-administrators. A common example is WooCommerce, where the Shop Manager role has this capability.

You should update immediately if:

• Any non-administrator users on your site have the edit_users capability
• You use WooCommerce and have Shop Managers you do not fully trust
• You use plugins that modify or extend user role capabilities

You are not at immediate risk if:

• Only Administrators have the edit_users capability
• You have not customized WordPress role capabilities
• You do not use plugins that modify or extend user role capabilities

At this time, we are not aware of this vulnerability being exploited in the wild. Exploitation requires a logged-in user with the edit_users capability. On most WordPress sites, this capability is restricted to Administrators.

Bug Fixes

• Display Tabs as Dropdown on Mobile: When you set Tabs or Advanced Tabs to display as a dropdown on tablet or phone, the styling now applies correctly.
• Customize Gallery Lightbox Colors: Custom colors set in the Gallery lightbox design controls now appear on the frontend.