CVE-2023-6854
Description
The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom postmeta output in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping on user supplied post meta fields. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Breakdance plugin for WordPress (up to 1.7.0) has a stored XSS vulnerability via insufficient sanitization of user-supplied post meta fields, exploitable by authenticated users with contributor-level access or higher.
Vulnerability
Overview CVE-2023-6854 describes a Stored Cross-Site Scripting (XSS) vulnerability in the Breakdance plugin for WordPress, affecting all versions up to and including 1.7.0. The root cause lies in the plugin's custom postmeta output handling, where insufficient input sanitization and output escaping on user-supplied post meta fields allow injection of arbitrary web scripts [1]. This flaw is specifically tied to Breakdance's dynamic data capabilities, which echo custom field content on the front end.
Exploitation
Requirements To exploit this vulnerability, two conditions must be met: the site administrator must grant non-admin users (e.g., contributors) the ability to create or edit posts or custom fields, and the site must use Breakdance's dynamic data features to embed that data on the front end [1]. Authenticated attackers with contributor-level or higher permissions can then inject malicious HTML or JavaScript into post meta fields. When any user (including administrators) visits a page where that dynamic data is rendered, the injected script executes in the context of the victim's browser.
Impact
Successful exploitation leads to stored XSS, allowing attackers to perform actions such as cookie theft, session hijacking, defacement, or redirection to malicious sites. Since the payload persists in the database and executes on every page load for affected pages, the impact can spread across a site's user base without requiring additional interaction from the attacker beyond the initial injection.
Mitigation
The Breakdance team addressed the issue in version 1.7.1, released as a security update [1]. The fix applies filtering to dynamic data from users without the unfiltered_html capability by default. Administrators can optionally bypass this filter in the plugin's Advanced settings if needed, but this should be used cautiously. Users are strongly advised to update to 1.7.1 or later. Sites that restrict post and field editing to administrators only, or do not use Breakdance's dynamic data output, are not affected.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.