平台
wordpress
组件
breakdance
修复版本
1.7.3
CVE-2024-31390 describes a Remote Code Execution (RCE) vulnerability within the Soflyy Breakdance WordPress plugin. This flaw allows attackers to inject arbitrary code, leading to complete server compromise. The vulnerability impacts versions of Breakdance up to and including 1.7.2, with a fix available in version 1.7.3.
The impact of this RCE vulnerability is severe. An attacker could leverage it to execute arbitrary commands on the web server hosting the WordPress site. This could lead to data breaches, website defacement, malware installation, or complete server takeover. Given Breakdance's functionality as a video player and potentially handling user uploads, sensitive data like user credentials, video content, and configuration files are at risk. Successful exploitation could also facilitate lateral movement within the network if the server has access to other systems.
This vulnerability has been publicly disclosed and assigned a CRITICAL CVSS score. While no active exploitation campaigns have been definitively linked to CVE-2024-31390 at the time of writing, the ease of exploitation and the plugin's popularity make it a high-priority target. It was added to the CISA KEV catalog on 2024-04-03, indicating a significant risk to US critical infrastructure. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
WordPress websites utilizing the Breakdance plugin, particularly those running older versions (≤1.7.2), are at significant risk. Shared hosting environments are especially vulnerable as they often have limited control over plugin updates and security configurations. Sites that rely on Breakdance for handling user-uploaded video content are also at higher risk due to the potential for malicious file uploads.
• wordpress / composer / npm:
wp plugin list | grep breakdance• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status breakdance• generic web: Check WordPress plugin directory for updated version (1.7.3+).
disclosure
kev
漏洞利用状态
EPSS
0.11% (29% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to immediately upgrade the Breakdance plugin to version 1.7.3 or later. If upgrading is not feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a secondary measure, implement strict input validation and sanitization on all user-supplied data processed by the plugin. Web application firewalls (WAFs) configured to detect and block code injection attempts can provide an additional layer of defense. Monitor WordPress logs for suspicious activity, particularly related to Breakdance plugin execution.
将 Breakdance 插件更新到最新可用版本。如果不存在可用版本,请考虑在发布修复此漏洞的更新之前禁用该插件。请参阅插件文档以获取有关如何更新它的具体说明。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-31390 is a critical Remote Code Execution vulnerability in the Soflyy Breakdance WordPress plugin, allowing attackers to execute arbitrary code on the server.
You are affected if you are using Breakdance version 1.7.2 or earlier. Check your plugin versions immediately.
Upgrade the Breakdance plugin to version 1.7.3 or later. If upgrading is not possible, temporarily disable the plugin.
While no confirmed active exploitation campaigns have been reported, the vulnerability's severity and ease of exploitation make it a high-priority target.
Refer to the Soflyy website and WordPress plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。