CVE-2023-6965

Name of the Vulnerable Software and Affected Versions The Pods – Custom Content Types and Fields plugin for WordPress versions prior to 3.0.11, excluding versions 2.7.31.2, 2.8.23.2, and 2.9.19.2.

Description The issue is related to Missing Authorization, which allows authenticated attackers with contributor access or higher to create pods and users with default role. This is possible due to a file inclusion feature via shortcode.

Recommendations For versions prior to 3.0.11, excluding versions 2.7.31.2, 2.8.23.2, and 2.9.19.2, update to version 3.0.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the file inclusion feature via shortcode to minimize the risk of exploitation. Restrict contributor access or higher to prevent attackers from creating pods and users with default role.