CVE-2024-4605
Published: 14 May 2024
Summary
CVE-2024-4605 is a high-severity Code Injection (CWE-94) vulnerability in Breakdance (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Breakdance plugin for WordPress is vulnerable to remote code execution in all versions through 1.7.1. The flaw stems from the plugin storing custom data in post metadata without an underscore prefix, which exposes the data to editing through the standard WordPress UI and enables code injection (CWE-94). The issue carries a CVSS 3.1 score of 8.8.
Authenticated users with contributor-level privileges can exploit the weakness to modify post metadata, escalate their permissions, and execute arbitrary code on the server. No special user interaction or network-adjacent access is required beyond standard contributor capabilities.
The vendor released Breakdance 1.7.2 to address the vulnerability, as noted in the security advisory at breakdance.com. The EPSS score has remained flat at 0.2013 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-44214
Vulnerability details
The Breakdance plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.7.1 via post meta data. This is due to the plugin storing custom data in metadata without an underscore prefix. This makes…
more
it possible for lower privileged users, such as contributors, to edit this data via UI. As a result they can escalate their privileges or execute arbitrary code.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.