CVE-2023-6967

Name of the Vulnerable Software and Affected Versions The Pods – Custom Content Types and Fields plugin for WordPress versions prior to 3.0.11, excluding versions 2.7.31.2, 2.8.23.2, and 2.9.19.2

Description The issue arises from insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query, allowing authenticated attackers with contributor level access or higher to append additional SQL queries into already existing queries. This can be used to extract sensitive information from the database.

Recommendations For versions prior to 3.0.11, excluding versions 2.7.31.2, 2.8.23.2, and 2.9.19.2, update to a version higher than 3.0.10 to resolve the issue. As a temporary workaround, consider restricting access to the shortcode feature to minimize the risk of exploitation. Restrict contributor level access or higher to prevent authenticated attackers from appending additional SQL queries.