CVE-2023-6999

HIGH

Pods - Custom Content Types and Fields <= 3.0.10 - Authenticated Remote Code Execution via Shortcode

Title source: llm

Description

The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Remote Code Exxecution via shortcode in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2). This makes it possible for authenticated attackers, with contributor level access or higher, to execute code on the server.

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/browser/pods/trunk/classes/PodsView.php#L750

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3039486%40pods%2Ftrunk&old=3039467%40pods%2Ftrunk&sfp_email=&sfph_mail=

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/d9108d5f-7b8b-478d-ba9d-f895bdb7dbf2?source=cve

Scores

CVSS v3 8.8

EPSS 0.0129

EPSS Percentile 66.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-77

Status published

Products (4)

podsfoundation/pods < 2.7.31.2

sc0ttkclark/Pods – Custom Content Types and Fields < 2.7.31

sc0ttkclark/Pods – Custom Content Types and Fields 2.8 - 2.8.23.2

sc0ttkclark/Pods – Custom Content Types and Fields 3 - 3.0.10.2

Published Apr 09, 2024

Tracked Since Feb 18, 2026