Soflyy Breakdance, a popular page builder plugin, has been identified with a critical vulnerability (CVE-2024-31390) that enables remote code execution (RCE) in versions <= 1.7.0. This vulnerability allows attackers to execute arbitrary code and potentially take over the site/server. The vulnerability arises from improper control of code generation, specifically in the plugin’s Client Mode feature.
Despite the Breakdance team’s assessment, the severity of this vulnerability poses significant risks to site security and integrity, as it effectively grants unauthorized users admin-level access. The proposed patch for this vulnerability has not yet been published, and technical details will be withheld for at least a week.
Agencies and users are strongly advised to refrain from granting “Edit Content” access to untrusted users until the vulnerability is mitigated. While the Breakdance team may consider this a non-security issue, the potential impact of RCE on site/server security cannot be understated. It is essential for users of Breakdance to stay updated on developments regarding this vulnerability and apply the recommended patches as soon as they become available to safeguard their websites against potential exploitation.
Reference:
