CVE-2024-5331 – Breakdance <= 1.7.2 - Missing Authorization
https://notcve.org/view.php?id=CVE-2024-5331
The Breakdance plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 1.7.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to export form submissions. El complemento Breakdance para WordPress es vulnerable al acceso no autorizado a los datos en todas las versiones hasta la 1.7.2 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, exporten envíos de formularios. • https://breakdance.com/breakdance-2-0-now-available https://www.wordfence.com/threat-intel/vulnerabilities/id/dbe8d453-21f0-43e2-84d3-3c520ab9c308?source=cve • CWE-284: Improper Access Control •
CVE-2024-5330 – Breakdance <= 1.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-5330
The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the breakdance_css_file_paths_cache parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Breakdance para WordPress es vulnerable a Cross Site Scripting almacenado a través del parámetro breakdance_css_file_paths_cache en todas las versiones hasta la 1.7.2 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de Colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://breakdance.com/breakdance-2-0-now-available https://www.wordfence.com/threat-intel/vulnerabilities/id/9dbd26f5-b75e-41a3-aefb-d6c8cc2cec7b?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-4605 – Breakdance <= 1.7.1 - Authenticated (Contributor+) Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-4605
The Breakdance plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.7.1 via post meta data. This is due to the plugin storing custom data in metadata without an underscore prefix. This makes it possible for lower privileged users, such as contributors, to edit this data via UI. As a result they can escalate their privileges or execute arbitrary code. El complemento Breakdance para WordPress es vulnerable a la ejecución remota de código en todas las versiones hasta la 1.7.1 incluida a través de metadatos de publicación. • https://breakdance.com/breakdance-1-7-2-now-available-security-update https://www.wordfence.com/threat-intel/vulnerabilities/id/095b23b7-71ab-41eb-b666-73df2e1a7eb4?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-6854 – Breakdance <= 1.7.0 - Authenticated(Contributor+) Stored Cross-Site Scripting via custom postmeta
https://notcve.org/view.php?id=CVE-2023-6854
The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom postmeta output in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping on user supplied post meta fields. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Breakdance para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de la salida postmeta personalizada del complemento en todas las versiones hasta la 1.7.0 incluida debido a una sanitización de entrada insuficiente y salida que se escapa en los metacampos de publicación proporcionados por el usuario. Esto hace posible que atacantes autenticados con permisos de nivel de colaborador y superiores inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://breakdance.com/breakdance-1-7-1-now-available-security-update https://www.wordfence.com/threat-intel/vulnerabilities/id/e92a0387-bd09-46d3-9f6c-09f701b9e550?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •