CVE-2024-4605 Vulnerability Details

  /     /     /  

CVE-2024-4605 Metadata Quick Info

CVE Published: 09/05/2024 | CVE Updated: 01/08/2024 | CVE Year: 2024
Source: Wordfence | Vendor: Breakdance | Product: Breakdance
Status : PUBLISHED

---

CVE-2024-4605 Description

The Breakdance plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.7.1 via post meta data. This is due to the plugin storing custom data in metadata without an underscore prefix. This makes it possible for lower privileged users, such as contributors, to edit this data via UI. As a result they can escalate their privileges or execute arbitrary code.

Metrics

CVSS Version: 3.1 | Base Score: 8.8 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID:
CWE Name: CWE-94 Improper Control of Generation of Code ( Code Injection )
Source: Breakdance

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).