The developers of Pods, a popular WordPress plugin used to create and extend custom post types, content types, taxonomies, users, media, or comments, has released an update that addresses a critical security vulnerability. Version 2.4.3 and all previous versions of the plugin have been patched in case you can’t upgrade to the latest version immediately. Simply download the version you’re using and overwrite the files to receive the patch. Pods 2.4.3 also contains other security hardening fixes that can be reviewed via the changelog.
According to the announcement, those using the Extended Users Pod are especially at risk. The combination of a Pods AJAX-based form vulnerability combined with the Extended Users Pod could allow users to gain access as an administrator to a site.
This vulnerability was due to an issue validating the “security key” (nonce) that is used to secure form submissions using Pods forms. Unfortunately, our form’s security validation was producing a false positive and did not validate it against the pod it was being checked against, and it did not throw any errors to alert us to the unintended consequences.
Our forms have been specifically designed to validate the user submitting them, the pod, the fields, and the item being created/modified. At first glance, the nonce would appear to work to anyone looking at the code, but close inspection found that there were two problems in how the security key was validated.
For those curious, you can see what Scott Kingsley Clark did to fix the issue in this and another commit.
Through Collaboration, Clark Was Able To Quickly Spread The News
Clark informed me this was his first time dealing with a situation like this. The first thing he did was hire Mark Jaquith through Covered Web Services to perform a WordPress security audit to make sure the changes would fix the problem and not introduce new vulnerability’s.
After confirming the patched code, Clark reached out to WPEngine, GoDaddy, iThemes, Sucuri, WP Tavern, and PostStat.us to help spread the word.
How To Report A Security Issues To The Developers of Pods
If you think you’ve discovered a security issue with the Pods plugin, the team requests that you do not publicly disclose the issue until they’ve had time to address and fix it. You can contact the team directly at contact@pods.io. You may also contact security@wordpress.org with security concerns about Pods or any other plugins hosted in the WordPress.org plugin directory.