| Affected plugin | Breakdance |
| Active installs | Not available – Commercial |
| Vulnerable version | <= 1.7.0 |
| Audited version | 1.7.0 |
| Fully patched version | Unpatched |
| Recommended remediation | See Misc |
| CVE | CVE-2024-31390 (Patchstack link) |
Description
The Breakdance page builder is vulnerable to remote code execution (RCE) in versions <= 1.7.0, which means that an attacker can run arbitrary code/system commands and take over the site/server.
To exploit this vulnerability, a user must have been granted “builder access” to Breakdance in the past. “Content-edit only” access is sufficient.
Breakdance has a dedicated Client Mode feature, which is commonly used to give non-technical end-users highly restricted access to the page builder.
If one of these accounts is compromised (or used maliciously), it can be used to achieve RCE.
Proof of concept
Technical details will not be released for at least a week.
Proposed patch
Technical details will not be published for at least a week.
Timeline
| Vendor contacted | February 09, 2024 (Snicco contacts Patchstack) |
| First Response | February 10, 2024 (Patchstack validated the issue) |
| Fully patched at | Not patched |
| Breakdance leaked vulnerability details | April 2, 2024 |
| Publicly disclosed | April 3, 2024 |
Miscellaneous
The Breakdance team did not consider this a security vulnerability.
According to them, the “Client Mode” never aimed to perform any sorts of permission check, but rather only simplify the visual editor for clients.
The documentation contains the following:
Do not grant “Edit Content” access to untrusted users, as a skilled user could escalate their privileges to a site admin.
https://breakdance.com/documentation/other/security/
Regardless, we (and Patchstack) strongly disagree with this assessment, as it is roughly analogous to WordPress Core saying something like:
“Contributors can now do everything an admin can. Instead of enforcing permissions, WordPress now just hides the sensitive admin menu links in the sidebar – “Be sure to make only trusted users a contributor”.
This mindset goes against anything that access control is supposed to do.
Agencies, undoubtedly, use this functionality to give builder access to non-admin users because they rightfully reason that their clients can’t be trusted to keep an admin account secure (bad security hygiene, vulnerable to phishing, weak passwords, etc.), but content-only access sounds fine.
In fact, this functionality, as it’s currently standing, turns everyone into an admin.
If you can execute random code, you’re an admin.
It does not matter if you trust your clients to not hack their own sites. They won’t, but the attacker that compromises your customers’ account.
We hope the Breakdance team reconsiders their decision, especially given that the proposed patch is not too difficult to implement.
Leave a Reply