CVE-2023-6999

EUVD-2023-59191
The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Remote Code Exxecution via shortcode in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2). This makes it possible for authenticated attackers, with contributor level access or higher, to execute code on the server.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
podsfoundationpods
𝑥
< 2.7.31.2
podsfoundationpods
2.8 ≤
𝑥
< 2.8.23.2
podsfoundationpods
2.9 ≤
𝑥
< 2.9.19.2
podsfoundationpods
3.0.0 ≤
𝑥
< 3.0.10.2
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
podsfoundationpods
𝑥
< 2.7.31
ADP
podsfoundationpods
2.8 ≤
𝑥
< 2.8.23.2
ADP
podsfoundationpods
3.0 ≤
𝑥
< 3.0.10.2
ADP
References
https://plugins.trac.wordpress.org/browser/pods/trunk/classes/PodsView.php#L750
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3039486%40pods%2Ftrunk&old=3039467%40pods%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/d9108d5f-7b8b-478d-ba9d-f895bdb7dbf2?source=cve
https://plugins.trac.wordpress.org/browser/pods/trunk/classes/PodsView.php#L750
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3039486%40pods%2Ftrunk&old=3039467%40pods%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/d9108d5f-7b8b-478d-ba9d-f895bdb7dbf2?source=cve