Remote Code Execution Vulnerability in Pods Plugin
CVE-2023-6999

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Pods – Custom Content Types And Fields
Vendor: CVE Published:; 9 April 2024

Summary

The Pods – Custom Content Types and Fields plugin for WordPress presents a significant security vulnerability that allows for remote code execution through the use of shortcodes. This issue affects all versions up to and including 3.0.10, except for specific versions noted. Authenticated attackers with contributor level access or higher can exploit this flaw to execute arbitrary code on the server, posing a serious threat to site integrity and data confidentiality. WordPress users utilizing the Pods plugin should prioritize updating to the latest version to mitigate risks associated with this vulnerability.

Affected Version(s)

Pods – Custom Content Types and Fields * < 2.7.31

Pods – Custom Content Types and Fields 2.8 < 2.8.23.2

Pods – Custom Content Types and Fields 3 < 3.0.10.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/pods/trunk/cla...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 9, 2024
Vulnerability Reserved
Dec 20, 2023

Credit

Nex Team