CVE-2024-9883 – Pods < 3.2.7.1 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-9883
The Pods WordPress plugin before 3.2.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/ea4b277e-ef47-4e38-bd82-c5a54a95372f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-23790 – WordPress Pods Plugin <= 2.9.10.2 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-23790
Cross-Site Request Forgery (CSRF) vulnerability in Pods Framework Team Pods – Custom Content Types and Fields plugin <= 2.9.10.2 versions. The Pods plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.9.10.2. This is due to missing or incorrect nonce validation when deleting pods. This makes it possible for unauthenticated attackers to delete pods via forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/pods/wordpress-pods-custom-content-types-and-fields-plugin-2-9-10-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2021-24338 – Pods < 2.7.27 - Authenticated Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24338
The Pods – Custom Content Types and Fields WordPress plugin before 2.7.27 was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) security vulnerability within the 'Singular Label' field parameter. El plugin Pods - Custom Content Types y Fields WordPress versiones anteriores a 2.7.27, era suceptible a una vulnerabilidad de Seguridad Autenticada de tipo Cross-Site Scripting (XSS) Almacenada dentro del parámetro de campo "Singular Label" • https://wpscan.com/vulnerability/d5b015f3-90c7-4d51-a71d-630d60965151 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-24338 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-24339 – Pods < 2.7.27 - Authenticated Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24339
The Pods – Custom Content Types and Fields WordPress plugin before 2.7.27 was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) security vulnerability within the 'Menu Label' field parameter. El plugin Pods - Custom Content Types y Fields WordPress versiones anteriores a 2.7.27, era suceptible a una vulnerabilidad de seguridad Autenticada de tipo Cross-Site Scripting (XSS) Almacenada en el parámetro del campo "Menu Label" • https://wpscan.com/vulnerability/8e72236d-f620-4503-a324-dcf49405351b https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-24339 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-7957 – Pods <= 2.4.3 - Multiple Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2014-7957
Multiple cross-site request forgery (CSRF) vulnerabilities in the Pods plugin before 2.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) conduct cross-site scripting (XSS) attacks via the toggled parameter in a toggle action in the pods-components page to wp-admin/admin.php, (2) delete a pod in a delete action in the pods page to wp-admin/admin.php, (3) reset pod settings and data via the pods_reset parameter in the pod-settings page to wp-admin/admin.php, (4) deactivate and reset pod data via the pods_reset_deactivate parameter in the pod-settings page to wp-admin/admin.php, (5) delete the admin role via the id parameter in a delete action in the pods-component-roles-and-capabilities page to wp-admin/admin.php, or (6) enable "roles and capabilities" in a toggle action in the pods-components page to wp-admin/admin.php. Múltiples vulnerabilidades de CSRF en el plugin Pods anterior a 2.5 para WordPress permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que (1) realizan ataques de XSS a través del parámetro toggled en una acción toggle en la página de componentes de pods en wp-admin/admin.php, (2) eliminan un pod en una acción de eliminación en la página de pods en wp-admin/admin.php, (3) reconfiguran las configuraciones y datos de pods a través del parámetro pods_reset en la página de las configuraciones de pods en wp-admin/admin.php, (4) desactivan y reconfiguran datos de pods a través del parámetro pods_reset_deactivate en la página de configuraciones de pods en wp-admin/admin.php, (5) eliminan el rol de administración a través del parámetro id en una acción de eliminación en la página de roles y capacidades de los componentes de pods en wp-admin/admin.php, o (6) habilitan rols y capacidades en una acción toggle en la página de componentes de pods en wp-admin/admin.php. WordPress Pods plugin versions 2.4.3 and below suffer from cross site request forgery and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/129890/WordPress-Pods-2.4.3-CSRF-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Jan/26 http://www.securityfocus.com/archive/1/534437/100/0/threaded http://www.securityfocus.com/bid/71996 https://wordpress.org/plugins/pods/changelog • CWE-352: Cross-Site Request Forgery (CSRF) •