Scott Kingsley Clark notified me this morning that a security update has been released for all versions of Pods 2.0 and later. Pods allows for the creation or extension of WordPress content types. Any website that uses the feature to extend WordPress’ default Users with Pods are vulnerable to this bug.
Here’s how Scott describes the issue in more detail:
In all versions of Pods 2.x, previous to Pods 2.4.2 it is possible to use a Pods AJAX-based form to create or modify an item for a different Pod than the form was intended for. This is due to a vulnerability in how the form’s nonce, or security key, was validated.
In most cases, this is a minor problem, as all data submitted to the form is still passed through data sanitization. This means that this issue could not be directly used to insert malicious data into the database. However, if you have an Extended Users Pod this could be used to gain access as an administrator on a site.
This vulnerability was due to an issue validating the “security key” (nonce) that is used to secure form submissions using Pods forms. Unfortunately, our form’s security validation was producing a false positive and did not validate it against the pod it was being checked against, and it did not throw any errors to alert us to the unintended consequences. Our forms have been specifically designed to validate the user submitting them, the pod, the fields, and the item being created/modified. At first glance, the nonce would appear to work to anyone looking at the code, but close inspection found that there were two problems in how the security key was validated.
For anyone using Pods 2.x, the fix is as simple as using the built-in WordPress one-click updater. If you are running Pods, you should update right away.
Scott announced in the post that he’s aiming for a full security audit before they release Pods 3.0, and with that release they also hope to make the plugin WordPress.com VIP approved.