Remote Code Execution Vulnerability in Pods Plugin
CVE-2023-6999

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Pods – Custom Content Types And Fields
Vendor: CVE Published:; 9 April 2024

What is CVE-2023-6999?

The Pods – Custom Content Types and Fields plugin for WordPress presents a significant security vulnerability that allows for remote code execution through the use of shortcodes. This issue affects all versions up to and including 3.0.10, except for specific versions noted. Authenticated attackers with contributor level access or higher can exploit this flaw to execute arbitrary code on the server, posing a serious threat to site integrity and data confidentiality. WordPress users utilizing the Pods plugin should prioritize updating to the latest version to mitigate risks associated with this vulnerability.

Affected Version(s)

Pods – Custom Content Types and Fields * < 2.7.31

Pods – Custom Content Types and Fields 2.8 < 2.8.23.2

Pods – Custom Content Types and Fields 3 < 3.0.10.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/pods/trunk/cla...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2024
Vulnerability Reserved
Dec 20, 2023

Credit

Nex Team

Wordpress

What is CVE-2023-6999?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit