CVE-2023-6999

CWE-77 — Command Injection3 documents3 sources

Severity

8.8HIGH

EPSS

1.2%

top 21.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sc0ttkclark Pods – Custom Content Types AND Fields Podsfoundation Pods

Timeline

PublishedApr 9

Description

The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Remote Code Exxecution via shortcode in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2). This makes it possible for authenticated attackers, with contributor level access or higher, to execute code on the server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5sc0ttkclark/pods_–_custom_content_types_and_fields2.8 — 2.8.23.2+2

▶NVDpodsfoundation/pods2.8 — 2.8.23.2+3

🔴Vulnerability Details

CVEList

Pods - Custom Content Types and Fields - Authenticated (Contributor+) Remote Code Execution↗2024-04-09

▶

GHSA

GHSA-cm43-2v3p-vgjx: The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Remote Code Exxecution via shortcode in all versions up to, and inclu↗2024-04-09

▶