Important Security Disclosure

This weekend, while performing a security review of Pods, we found a serious security issue. We have patched every version of Pods on WordPress.org that is affected. In addition, we have released Pods 2.5.1.2 that is identical to Pods 2.5.1.1 the previous release, except with this patch added.

We believe this is an especially severe issue as this issue occurred in the PodsUI class, which is not only used for the Pods admin, but is also employed by many end-users to create front-end and back-end content management interfaces for non-admin users.

All Pods users are encouraged to update to Pods 2.5.1.2 immediately. To properly patch your installation of Pods:

  • If you are running a current version of Pods, you can go to the Dashboard in your WordPress installation under Updates to check for new updates from WordPress.org. After updating Pods, check the Plugins listing to verify your version of Pods is 2.5.1.2.
  • If for some reason you need to be on an earlier version, you can download a patched older version of Pods from our WordPress.org plugin page. Find your version on the list and re-download and replace the version in your installation.
  • You can also download our absolute latest version from http://pods.io/latest/.
  • If you are unable to upgrade or have concerns about upgrading, please post an issue to our forums at http://pods.io/forums/, send an email to contact@pods.io or join us on our Slack Chat channel http://pods.io/forums/chat/ and one of our team will be happy to assist you.

We immediately informed the WordPress.org security team upon finding the vulnerability; they generated a security-related forced autoupdate for 2.3, 2.4, and 2.5 branches to the latest patched point release for each  (2.4.1 >> 2.4.4, etc).

This issue is very similar to the issue discovered and disclosed earlier this week in the WordPress SEO plugin by Yoast. Reading the details of their issue lead us to search for similar security issues in Pods. We applaud their responsible disclosure to the community. Publishing the details helps other developers work to improve security in their own codebase.

We sincerely apologize to all of our users for this security issue. We are grateful to be a part of such a wonderful community of talented open-source developers;  through the open communication between developers, we are constantly learning and improving the security of our code.

We also want you to be on the lookout for updates and communications from authors of other plugins in the near future. These types of issues are likely to be found in other plugins as we all learn from each others mistakes.

Our team has done a search in several other plugins for similar issues and has reported our findings to their authors. At this time we can not share specifics about theses issues, but will as soon as it is responsible to do so.

Details Of The Issue

The issue occurred in approximately Line 859 of the PodsUI class. The orderby parameter, which is passed from the browser in a GET variable was subsequently used in an SQL query without being properly sanitized.

As a result malicious or other unintended SQL queries could be sent to the database by manipulating the GET request.

You can see the change that was made to address this issue here.

If You Have Security Concerns About Pods

If you have any questions about how this might have effected your site, please feel free to contact us via email at contact@pods.io. If you ever believe that you have discovered a security issue in Pods, we ask that you contact us privately at contact@pods.io. Like all plugins in the WordPress.org repository, you can also report issues to security@wordpress.org.

 

PodsCast #002: Data Structure Planning: !important;

Pods is one of the many great ways to use WordPress as a highly-customizable content management system. Success in these types of projects is often contingent on proper planning. On this episode, we discuss how to choose the right content types, and relationships between them.

This is a live event, which will be held on Tuesday March 17th at 3PM eastern, so you can join in and ask the Pods team any questions you have about choosing the right content types, field types and how to get the most out of relationship fields to connect your content types. There will be live music and live diagraming!

If you are watching live, you can ask questions in the #podscast channel of our Slack or by tweeting them at us. All episodes of the Podscast can be viewed at any time on our Youtube channel.

Show Notes

PodsCast #001: Find’ing Your Way with Pods:Find()

We are happy to announce the PodsCast, a live, bi-monthly video podcast with Pods team members. Each week we will spend about an hour talking about a specific part of Pods and answering user questions. Users can submit their questions on twitter using the hashtag #podscast or the #podscast channel in our Slack.

For our first episode we will be investigating the find method of the Pods class–our version of WP_Query. It’s at the heart of almost everything you do with Pods. We will be discussing how it works, how to use it and how to read the big green chart on its docs page.

You can watch live, at 2PM eastern on Tuesday March 2nd, or view the recording afterwords right here:

 

Show Notes