CVE-2023-6965
First published: Tue Apr 09 2024(Updated: )
The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2). This is due to the fact that the plugin allows the use of a file inclusion feature via shortcode. This makes it possible for authenticated attackers, with contributor access or higher, to create pods and users (with default role).
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Pods Custom Content Types and Fields | <=3.0.10 | |
| Pods Foundation | <2.7.31.2 | |
| Pods Foundation | >=2.8<2.8.23.2 | |
| Pods Foundation | >=2.9<2.9.19.2 | |
| Pods Foundation | >=3.0.0<3.0.10.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c5d330cd-ad1f-451e-bf41-39cfeb296cf0?source=cve
- https://plugins.trac.wordpress.org/browser/pods/trunk/classes/PodsView.php#L750
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3039486%40pods%2Ftrunk&old=3039467%40pods%2Ftrunk&sfp_email=&sfph_mail=
Frequently Asked Questions
What is the severity of CVE-2023-6965?
CVE-2023-6965 is classified as a high-severity vulnerability due to missing authorization in the affected plugin.
How do I fix CVE-2023-6965?
To mitigate CVE-2023-6965, users should update the Pods – Custom Content Types and Fields plugin to version 3.0.11 or later.
Which versions are affected by CVE-2023-6965?
CVE-2023-6965 affects all versions of the Pods plugin up to and including 3.0.10, with specific exceptions for versions 2.7.31.2, 2.8.23.2, and 2.9.19.2.
What functionality is exploited in CVE-2023-6965?
CVE-2023-6965 exploits a file inclusion feature in the plugin which does not implement proper authorization checks.
What systems are impacted by CVE-2023-6965?
CVE-2023-6965 impacts WordPress installations using the Pods – Custom Content Types and Fields plugin.
- agent/weakness
- agent/references
- agent/first-publish-date
- agent/type
- agent/description
- agent/severity
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/source
- agent/last-modified-date
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/softwarecombine
- vendor/pods
- canonical/pods custom content types and fields
- vendor/podsfoundation
- canonical/pods foundation
- version/pods foundation/2.8
- version/pods foundation/2.9
- version/pods foundation/3.0.0