This weekend, while performing a security review of Pods, we found a serious security issue. We have patched every version of Pods on WordPress.org that is affected. In addition, we have released Pods 126.96.36.199 that is identical to Pods 188.8.131.52 the previous release, except with this patch added.
We believe this is an especially severe issue as this issue occurred in the PodsUI class, which is not only used for the Pods admin, but is also employed by many end-users to create front-end and back-end content management interfaces for non-admin users.
All Pods users are encouraged to update to Pods 184.108.40.206 immediately. To properly patch your installation of Pods:
- If you are running a current version of Pods, you can go to the Dashboard in your WordPress installation under Updates to check for new updates from WordPress.org. After updating Pods, check the Plugins listing to verify your version of Pods is 220.127.116.11.
- If for some reason you need to be on an earlier version, you can download a patched older version of Pods from our WordPress.org plugin page. Find your version on the list and re-download and replace the version in your installation.
- You can also download our absolute latest version from http://pods.io/latest/.
- If you are unable to upgrade or have concerns about upgrading, please post an issue to our forums at http://pods.io/forums/, send an email to email@example.com or join us on our Slack Chat channel http://pods.io/forums/chat/ and one of our team will be happy to assist you.
We immediately informed the WordPress.org security team upon finding the vulnerability; they generated a security-related forced autoupdate for 2.3, 2.4, and 2.5 branches to the latest patched point release for each (2.4.1 >> 2.4.4, etc).
This issue is very similar to the issue discovered and disclosed earlier this week in the WordPress SEO plugin by Yoast. Reading the details of their issue lead us to search for similar security issues in Pods. We applaud their responsible disclosure to the community. Publishing the details helps other developers work to improve security in their own codebase.
We sincerely apologize to all of our users for this security issue. We are grateful to be a part of such a wonderful community of talented open-source developers; through the open communication between developers, we are constantly learning and improving the security of our code.
We also want you to be on the lookout for updates and communications from authors of other plugins in the near future. These types of issues are likely to be found in other plugins as we all learn from each others mistakes.
Our team has done a search in several other plugins for similar issues and has reported our findings to their authors. At this time we can not share specifics about theses issues, but will as soon as it is responsible to do so.
Details Of The Issue
The issue occurred in approximately Line 859 of the PodsUI class. The orderby parameter, which is passed from the browser in a GET variable was subsequently used in an SQL query without being properly sanitized.
As a result malicious or other unintended SQL queries could be sent to the database by manipulating the GET request.
You can see the change that was made to address this issue here.
If You Have Security Concerns About Pods
If you have any questions about how this might have effected your site, please feel free to contact us via email at firstname.lastname@example.org. If you ever believe that you have discovered a security issue in Pods, we ask that you contact us privately at email@example.com. Like all plugins in the WordPress.org repository, you can also report issues to firstname.lastname@example.org.