CVE-2014-7957

Name of the Vulnerable Software and Affected Versions Pods plugin versions prior to 2.5 for WordPress

Description The issue allows remote attackers to hijack the authentication of administrators for various requests, including conducting cross-site scripting (XSS) attacks, deleting pods, resetting pod settings and data, deactivating and resetting pod data, deleting the admin role, and enabling "roles and capabilities". This can be achieved through multiple API endpoints, such as "/wp-admin/admin.php" with specific parameters like toggled, pods reset, pods reset deactivate, and id.

Recommendations For Pods plugin versions prior to 2.5, update to version 2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "/wp-admin/admin.php", to minimize the risk of exploitation. Avoid using the toggled, pods reset, pods reset deactivate, and id parameters in the affected API endpoints until the issue is resolved.