CVE-2023-6965

MEDIUM

Pods - Custom Content Types and Fields <= 3.0.10 - Authenticated Missing Authorization via Shortcode File Inclusion

Title source: llm
STIX 2.1

Description

The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2). This is due to the fact that the plugin allows the use of a file inclusion feature via shortcode. This makes it possible for authenticated attackers, with contributor access or higher, to create pods and users (with default role).

Scores

CVSS v3 4.3
EPSS 0.0055
EPSS Percentile 42.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (4)
podsfoundation/pods < 2.7.31.2
sc0ttkclark/Pods – Custom Content Types and Fields < 2.7.31
sc0ttkclark/Pods – Custom Content Types and Fields 2.8 - 2.8.23.2
sc0ttkclark/Pods – Custom Content Types and Fields 3 - 3.0.10.2
Published Apr 09, 2024
Tracked Since Feb 18, 2026