WordPress Pods Plugin <= 2.9.10.2 is vulnerable to Cross Site Request Forgery (CSRF)

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Pods – Custom Content Types and Fields plugin for WordPress, affecting versions <= 2.9.10.2 [1]. The vulnerability arises due to missing or insufficient CSRF token validation on administrative actions.

Exploitation

An attacker can exploit this CSRF vulnerability by crafting a malicious link or form that, when clicked by an authenticated administrator, performs unintended actions on the site. No authentication is required from the attacker, but the victim must be logged in with administrative privileges for the attack to succeed.

Impact

Successful exploitation allows an attacker to execute arbitrary administrative actions, such as modifying plugin settings, creating or deleting content types, or changing field configurations, leading to potential data integrity compromise and site takeover.

Mitigation

Update the Pods plugin to the latest version (3.3.8 or higher) where the vulnerability is addressed [1]. If an immediate update is not possible, ensure that administrators are cautious about clicking untrusted links and consider using security plugins that enforce CSRF protection.