Vulnerabilities and security researches forpods pods
Direction: descendingMay 08, 2025
Pods – Custom Content Types and Fields # CVE-2025-1446
- CVE, Research URL
- Application
- Date
- Mar 23, 2025
- Research Description
- The Pods WordPress plugin before 3.2.8.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Jan 07, 2025
Pods – Custom Content Types and Fields # CVE-2024-11849
- CVE, Research URL
- Application
- Date
- Jan 06, 2025
- Research Description
- The Pods WordPress plugin before 3.2.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Nov 06, 2024
Pods – Custom Content Types and Fields # CVE-2024-9883
- CVE, Research URL
- Application
- Date
- Nov 05, 2024
- Research Description
- The Pods WordPress plugin before 3.2.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Jun 30, 2024
Pods – Custom Content Types and Fields # CVE-2024-6297
- CVE, Research URL
- Application
- Date
- Jun 25, 2024
- Research Description
- Several plugins for WordPress hosted on WordPress.org have been compromised and injected with malicious PHP scripts. A malicious threat actor compromised the source code of various plugins and injected code that exfiltrates database credentials and is used to create new, malicious, administrator users and send that data back to a server. Currently, not all plugins have been patched and we strongly recommend uninstalling the plugins for the time being and running a complete malware scan.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Jun 07, 2024
Pods – Custom Content Types and Fields # CVE-2014-7956
- CVE, Research URL
- Application
- Date
- Jan 15, 2015
- Research Description
- Cross-site scripting (XSS) vulnerability in the Pods plugin before 2.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter in an edit action in the pods page to wp-admin/admin.php.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Pods – Custom Content Types and Fields # CVE-2023-6999
- CVE, Research URL
- Application
- Date
- Apr 10, 2024
- Research Description
- The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Remote Code Exxecution via shortcode in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2). This makes it possible for authenticated attackers, with contributor level access or higher, to execute code on the server.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Pods – Custom Content Types and Fields # CVE-2023-6965
- CVE, Research URL
- Application
- Date
- Apr 10, 2024
- Research Description
- The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2). This is due to the fact that the plugin allows the use of a file inclusion feature via shortcode. This makes it possible for authenticated attackers, with contributor access or higher, to create pods and users (with default role).
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Pods – Custom Content Types and Fields # CVE-2023-23790
- CVE, Research URL
- Application
- Date
- May 03, 2023
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in Pods Framework Team Pods – Custom Content Types and Fields plugin <= 2.9.10.2 versions.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Pods – Custom Content Types and Fields # CVE-2021-24339
- CVE, Research URL
- Application
- Date
- Jun 22, 2021
- Research Description
- The Pods – Custom Content Types and Fields WordPress plugin before 2.7.27 was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) security vulnerability within the 'Menu Label' field parameter.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Pods – Custom Content Types and Fields # CVE-2021-24338
- CVE, Research URL
- Application
- Date
- Jun 22, 2021
- Research Description
- The Pods – Custom Content Types and Fields WordPress plugin before 2.7.27 was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) security vulnerability within the 'Singular Label' field parameter.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Pods – Custom Content Types and Fields # CVE-2014-7957
- CVE, Research URL
- Application
- Date
- Jan 15, 2015
- Research Description
- Multiple cross-site request forgery (CSRF) vulnerabilities in the Pods plugin before 2.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) conduct cross-site scripting (XSS) attacks via the toggled parameter in a toggle action in the pods-components page to wp-admin/admin.php, (2) delete a pod in a delete action in the pods page to wp-admin/admin.php, (3) reset pod settings and data via the pods_reset parameter in the pod-settings page to wp-admin/admin.php, (4) deactivate and reset pod data via the pods_reset_deactivate parameter in the pod-settings page to wp-admin/admin.php, (5) delete the admin role via the id parameter in a delete action in the pods-component-roles-and-capabilities page to wp-admin/admin.php, or (6) enable "roles and capabilities" in a toggle action in the pods-components page to wp-admin/admin.php.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Pods – Custom Content Types and Fields # CVE-2024-3956
- CVE, Research URL
- Application
- Date
- May 14, 2024
- Research Description
- The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pod Form widget in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Pods – Custom Content Types and Fields # CVE-2023-6967
- CVE, Research URL
- Application
- Date
- Apr 10, 2024
- Research Description
- The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to SQL Injection via shortcode in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor level access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable