CVE-2023-6965 — Missing Authorization in Pods Custom Content Types AND Fields

CWE-862 — Missing Authorization3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 55.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sc0ttkclark Pods Custom Content Types AND Fields Podsfoundation Pods

Timeline

PublishedApr 9

Description

The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2). This is due to the fact that the plugin allows the use of a file inclusion feature via shortcode. This makes it possible for authenticated attackers, with contributor access or higher, to create pods and users (with default role).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5sc0ttkclark/pods_custom_content_types_and_fields2.8 — 2.8.23.2+2

▶NVDpodsfoundation/pods2.8 — 2.8.23.2+3

🔴Vulnerability Details

GHSA

GHSA-4h68-4rgv-j269: The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3↗2024-04-09

▶

CVEList

Pods - Custom Content Types and Fields - Missing Authorization↗2024-04-09

▶