WordPress Breakdance plugin <= 1.7.2 - Authenticated Remote Code Execution (RCE) vulnerability

[KNEET]

Server operating system version

Cent

Plesk version and microupdate number

Plesk Obsidian v18.0.75_build1800260102.11 os_RedHat el8

WordPress Breakdance plugin <= 1.7.2 - Authenticated Remote Code Execution (RCE) vulnerability Authenticated Remote Code Execution (RCE) vulnerability discovered by Snicco in WordPress Plugin Breakdance (versions <= 1.7.2)

I keep on getting this vulnerabiltiy detected by WP Toolkit and it seems likt it disables this plugin after scanning/finding it. Resulting it the site going offline.
We have a license for Breakdance and are already on the latest version 2.6.1

After a lot of troubleshooting it seems to be a Plesk issue.

Can anyone help?

Thanks

 

[Sebahat.hadzhi]

Hello, @KNEET . For the time being, please navigate to Plesk > Subscriptions > example.com > More > Check for updates > Update Settings. Then under "Defined individually, but security updates are autoinstalled", please make sure that "Deactivate vulnerable plugins instead of updating them" is unchecked. I will discuss the matter about the vulnerability mismatch with our team on Monday and follow up with more details.

 

[KNEET]

Thank you!

 

[Sebahat.hadzhi]

Hi, @KNEET Just wanted to let you know that our team informed the Patchstack team and they are currently attempting to communicate with the extension vendor and further looking into the matter.

 

[KNEET]

Thank you! Happy to help