Breakdance 2.6.1 is now available. This release contains a security update, as well as fixes for issues related to Breakdance 2.6.
Security Update
This release fixes a privilege escalation vulnerability where users with the edit_users capability could modify their own Breakdance Builder Access permissions, allowing them to grant themselves full builder access without administrator approval.
By default, WordPress grants the edit_users capability only to Administrators. However, some plugins allow edit_users to be granted to non-administrators. A common example is WooCommerce, where the Shop Manager role has this capability.
You should update immediately if:
Any non-administrator users on your site have the edit_users capability
You use WooCommerce and have Shop Managers you do not fully trust
You use plugins that modify or extend user role capabilities
You are not at immediate risk if:
Only Administrators have the edit_users capability
You have not customized WordPress role capabilities
You do not use plugins that modify or extend user role capabilities
At this time, we are not aware of this vulnerability being exploited in the wild. Exploitation requires a logged-in user with the edit_users capability. On most WordPress sites, this capability is restricted to Administrators.
Bug Fixes
Display Tabs as Dropdown on Mobile: When you set Tabs or Advanced Tabs to display as a dropdown on tablet or phone, the styling now applies correctly.
Customize Gallery Lightbox Colors: Custom colors set in the Gallery lightbox design controls now appear on the frontend.
