CVE-2024-31390 - Exploiting Code Injection in Breakdance Page Builder (All Versions up to 1.7.1)

If you work with WordPress page builders, you may have heard of Breakdance, a popular drag-and-drop tool from Soflyy. In early 2024, a serious vulnerability was disclosed: CVE-2024-31390 — an Improper Control of Generation of Code ('Code Injection') vulnerability. This article will break down what happened, how the vulnerability works, provide code snippets to demonstrate the issue, and discuss what you should do to stay safe.

What is CVE-2024-31390?

In plain language, CVE-2024-31390 allows attackers to inject malicious code into pages created with Breakdance. If exploited, this could let a hacker run their own scripts, steal administrator cookies, redirect users to phishing sites, or do much worse.

Breakdance plugin versions up to 1.7.1 are affected.

- All earlier versions (n/a through 1.7.1) are reportedly vulnerable.

How Does the Vulnerability Work?

At the core, the issue is with improper validation/sanitization of user-supplied input that is used in dynamically generated code by the plugin. This means attackers can sneak JavaScript or PHP code into fields in Breakdance, which the plugin will blindly include and execute.

Suppose there's a custom HTML or shortcode element in Breakdance that lets you insert code like this

echo $_POST['breakdance_custom_code'];

If a user submits this form field with JavaScript code, and the plugin doesn’t sanitize or validate the input, it can get injected directly into the page.

Code Snippet (PHP)

// Vulnerable code in Breakdance (simplified)
$custom_code = $_POST['custom_code']; // No sanitization!
echo $custom_code;

A hacker simply submits the following as their "custom_code" input

<script>alert('Your site is hacked!');</script>

When the page loads, the malicious JavaScript will run in the admin's browser, leading to XSS or worse.

Exploit Proof-of-Concept

> NOTE: This is for educational purposes only. Do NOT use this code maliciously.

Suppose you’re logged in as a lower-privileged user (e.g., Editor) and create a new page in Breakdance. If the plugin allows you to add custom HTML or code without sanitizing input, you would do something like:

Save the page and view it as an administrator.

Result: The admin’s cookies may be sent to evil.site, allowing session hijacking.

Mitigation and Patch Status

Soflyy has addressed the issue in versions after 1.7.1, so you should update to the latest version immediately.

References & Further Reading

- NVD - CVE-2024-31390
- Breakdance plugin homepage
- Exploit Database - Search for CVE-2024-31390

Conclusion

CVE-2024-31390 is a classic example of a Code Injection flaw in popular WordPress plugins. Always sanitize user input and keep your plugins up to date. For Breakdance users, update past version 1.7.1 now to prevent attackers from exploiting your site.

Timeline

Published on: 04/03/2024 12:15:14 UTC
Last modified on: 05/02/2024 11:15:45 UTC