CVE-2023-6967 in Pods Plugin
Summary
by MITRE • 04/09/2024
The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to SQL Injection via shortcode in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor level access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/14/2026
The vulnerability identified as CVE-2023-6967 affects the Pods – Custom Content Types and Fields plugin for WordPress, representing a critical security flaw that undermines database integrity and data confidentiality. This issue manifests specifically in versions up to and including 3.0.10, excluding certain patch releases that have been noted as unaffected. The vulnerability stems from inadequate input sanitization mechanisms within the plugin's shortcode processing functionality, creating an exploitable pathway for malicious actors to manipulate database queries through crafted user input.
The technical exploitation of this vulnerability occurs through SQL injection techniques that leverage the plugin's insufficient escaping of user-supplied parameters. When authenticated users with contributor-level access or higher utilize shortcodes within the plugin's framework, the system fails to properly prepare or sanitize the input data before incorporating it into existing SQL queries. This lack of proper input validation creates a condition where attackers can inject malicious SQL code that becomes appended to legitimate database operations. The vulnerability operates at the intersection of CWE-89 and CWE-77, combining improper input validation with SQL injection weaknesses to create a dangerous attack surface.
The operational impact of this vulnerability extends beyond simple data extraction, as authenticated attackers with contributor privileges can potentially access sensitive database information including user credentials, personal data, and system configuration details. The attack vector requires only minimal privilege escalation, making it particularly dangerous in environments where multiple users have contributor-level access. Once exploited, attackers can construct complex SQL queries that may reveal database schema information, extract user account details, or even modify existing records. This vulnerability directly aligns with ATT&CK technique T1213.002 for Data from Databases and T1078.004 for Valid Accounts, as it leverages legitimate user privileges to access sensitive information.
Mitigation strategies for CVE-2023-6967 require immediate action to address the core issue through proper input sanitization and parameterized query implementation. WordPress administrators should upgrade to the latest plugin versions that have been patched to address this vulnerability, particularly noting the excluded versions that contain the necessary fixes. The recommended approach involves implementing proper prepared statements and parameter binding techniques to ensure that user input cannot be interpreted as SQL code. Additionally, network monitoring should be enhanced to detect unusual database query patterns that might indicate exploitation attempts. Security hardening measures including role-based access controls and regular security audits should be implemented to reduce the attack surface and prevent unauthorized privilege escalation. Organizations should also consider implementing database activity monitoring solutions to detect and alert on suspicious SQL injection attempts that could indicate exploitation of this vulnerability.