WordPress Plugin Vulnerabilities

Pods < 3.1 - Contributor+ Pods/Users Creation

Description

The plugin is vulnerable to Missing Authorization due to the fact that it allows the use of a file inclusion feature via shortcode. This makes it possible for authenticated attackers, with contributor access or higher, to create pods and users (with default role).

Affects Plugins

Plugin icon
pods
Fixed in 3.1

References

CVE
CVE-2023-6965
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c5d330cd-ad1f-451e-bf41-39cfeb296cf0

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Nex Team
Verified
No
WPVDB ID
0375f865-8ca6-4802-8e15-6efd8e18d9aa

Timeline

Publicly Published
2024-03-28 (about 2 years ago)
Added
2024-03-29 (about 2 years ago)
Last Updated
2024-03-29 (about 2 years ago)

Other

Published
Title
Published
2025-01-16
Title
AI Responsive Gallery Album <= 1.4 - Missing Authorization
Published
2024-03-07
Title
TeraWallet – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds < 1.4.11 - Missing Authorization to Authenticated (Subscriber+) User Email Export
Published
2024-06-20
Title
PropertyHive < 2.0.10 - Missing Authorization
Published
2023-01-10
Title
Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Template Activation
Published
2026-03-26
Title
Seriously Simple Podcasting < 3.14.3 - Missing Authorization