Pods Framework Security Release Fixes Severe Vulnerability


Last week a blind SQL injection vulnerability was discovered in Yoast’s popular WordPress SEO plugin. Given the severity of the vulnerability and the fact that the plugin is installed on more than one million WordPress sites, the security team at WordPress.org pushed a forced update to mitigate the possibility of mass exploitation.

Following this incident, the Pods framework team proactively performed a security review of their plugin and found an issue similar to the one discovered and disclosed last week in the WordPress SEO plugin. Contributor Josh Pollock describes the issue in the release announcement:

We believe this is an especially severe issue as this issue occurred in the PodsUI class, which is not only used for the Pods admin, but is also employed by many end-users to create front-end and back-end content management interfaces for non-admin users.

The issue occurred in approximately Line 859 of the PodsUI class. The orderby parameter, which is passed from the browser in a GET variable was subsequently used in an SQL query without being properly sanitized.

As a result malicious or other unintended SQL queries could be sent to the database by manipulating the GET request.

Pods, released today, is a security update that patches this vulnerability. If you require an earlier version of the plugin, patched versions of older versions are available the releases page. All users are advised to update immediately.

The Pods framework is used for creating, managing, and deploying customized content types and fields. It’s active on more than 30,000 WordPress installations. Contributors on the project credit Yoast’s transparency on the recent security issue as having inspired their team to proactively examine Pods.

“Reading the details of their issue led us to search for similar security issues in Pods,” Pollock said. “We applaud their responsible disclosure to the community. Publishing the details helps other developers work to improve security in their own codebase.”

More Security Updates on the Way for Popular WordPress Plugins

All relatively complex plugins will have security issues pop up from time to time that will require immediate patching. Fortunately, the plugin authors in these scenarios have been quick to respond.

This particular vulnerability is not limited to Pods and the WordPress SEO plugin by Yoast. Pollock advises that WordPress users should be on the lookout for more security updates to follow for other popular plugins.

“Our team has done a search in several other plugins for similar issues and has reported our findings to their authors,” he said. “At this time we can not share specifics about theses issues, but will as soon as it is responsible to do so.”


2 responses to “Pods Framework Security Release Fixes Severe Vulnerability”

  1. “All users are advised to update immediately.”

    No need. Pods has already been automatically updated :( Haven’t had the chance to disable auto-updates for plugins yet, so I’m not happy. At least with the Yoast plugin there were a few hours between the release and the auto-update, so I had the chance to do it myself. It seems like this went straight from release to auto-update, without any time for manual updates. Thank goodness I finally have some time today — auto-updates are scary!! When I signed in to update Pods, my dashboard wouldn’t load at first, but after a refresh it loaded fine. I suspect the auto-update to be the culprit, but really I have no clue… Did anyone else experience something like that?


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.