SQL Injection Vulnerability in Pods Plugin Could Lead to Sensitive Data Exfiltration
CVE-2023-6967

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Pods – Custom Content Types And Fields
Vendor: CVE Published:; 9 April 2024

Summary

The Pods – Custom Content Types and Fields plugin for WordPress exhibits a SQL Injection vulnerability through its shortcode feature. This issue arises from inadequate escaping of user-supplied parameters and insufficient preparation of the SQL queries involved. Attackers with contributor level access or higher can leverage this vulnerability to inject additional SQL commands into existing queries. This manipulation can lead to unauthorized access to sensitive data stored within the database, potentially compromising the integrity and privacy of user information.

Affected Version(s)

Pods – Custom Content Types and Fields * < 2.7.31

Pods – Custom Content Types and Fields 2.8 < 2.8.23.2

Pods – Custom Content Types and Fields 3 < 3.0.10.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/pods/trunk/cla...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 9, 2024
Vulnerability Reserved
Dec 19, 2023

Credit

Nex Team