Pods < 3.2.8.2 - Admin+ SQL Injection
Description
The Pods WordPress plugin before 3.2.8.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Pods WordPress plugin before 3.2.8.2 fails to sanitize a parameter, allowing admin-level SQL injection.
Vulnerability
The Pods WordPress plugin versions before 3.2.8.2 do not sanitize and escape a parameter before using it in a SQL statement [1]. This flaw exists in the plugin's database interaction code and can be triggered by an administrator user. The vulnerability is classified as CWE-89 (SQL Injection) [1].
Exploitation
An attacker with administrator-level access to a WordPress site running an affected version of Pods can exploit this by supplying a crafted parameter that is not properly sanitized [1]. The attacker must be authenticated as an admin to reach the vulnerable code path. By manipulating the unsanitized input, the attacker can inject arbitrary SQL commands into the database query [1].
Impact
Successful exploitation allows the attacker to execute arbitrary SQL queries within the WordPress database context [1]. This can lead to information disclosure (reading sensitive data such as user credentials or configuration), corruption of data, or potential privilege escalation within the WordPress ecosystem. The CVSS score is 4.1 (medium) [1].
Mitigation
The vulnerability is fixed in Pods version 3.2.8.2 [1]. Users should update the plugin to this version or later immediately. No workaround is provided in the reference. There is no indication that this CVE is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <3.2.8.2
- Package: https://wordpress.org/plugins/pods
Patches
169d701170803Pods 3.2.8.2 (#7396)
6 files changed · +31 −5
changelog.txt+4 −0 modified@@ -2,6 +2,10 @@ Found a bug? Have a great feature idea? Get on GitHub and tell us about it and w Our GitHub has the full list of all prior releases of Pods: https://github.com/pods-framework/pods/releases += 3.2.8.2 - February 7th, 2025 = + +* Security: Do not allow using custom SQL clauses for Relationship fields when SQL clauses are disabled in the Pods security settings. Props to the CleanTalk / Dmitrii Ignatyev for responsibly reporting this. (@sc0ttkclark) + = 3.2.8.1 - November 22nd, 2024 = * Security: Resolve stored XSS issue with the File Upload field Add Button Text option. Props to the CleanTalk / Dmitrii Ignatyev for responsibly reporting this (their second report, they are doing good work!). (@sc0ttkclark)
classes/fields/pick.php+14 −1 modified@@ -2696,14 +2696,23 @@ public function get_object_data( $object_params = null ) { $params = array( 'select' => "`t`.`{$search_data->field_id}`, `t`.`{$search_data->field_index}`", 'table' => $search_data->table, - 'where' => pods_v( static::$type . '_where', $options, (array) $table_info['where_default'], true ), + 'where' => pods_v( static::$type . '_where', $options, null, true ), 'orderby' => pods_v( static::$type . '_orderby', $options, null, true ), 'having' => pods_v( static::$type . '_having', $options, null, true ), 'groupby' => pods_v( static::$type . '_groupby', $options, null, true ), 'pagination' => false, 'search' => false, ); + if ( ! pods_can_use_dynamic_feature_sql_clauses() ) { + $params['where'] = $params['where'] ? '0=1 /* Dynamic SQL clauses disabled in Pods */' : (array) $table_info['where_default']; + $params['orderby'] = null; + $params['having'] = null; + $params['groupby'] = null; + } elseif ( null === $params['where'] ) { + $params['where'] = (array) $table_info['where_default']; + } + if ( in_array( $options[ static::$type . '_object' ], array( 'site', 'network' ), true ) ) { $params['select'] .= ', `t`.`path`'; } @@ -2883,6 +2892,10 @@ public function get_object_data( $object_params = null ) { $pick_orderby = pods_v( static::$type . '_orderby', $options, null, true ); + if ( ! pods_can_use_dynamic_feature_sql_clauses() ) { + $pick_orderby = null; + } + if ( is_string( $pick_orderby ) && 0 < strlen( $pick_orderby ) ) { $orderby[] = $pick_orderby; }
classes/widgets/PodsWidgetList.php+5 −0 modified@@ -41,6 +41,11 @@ public function widget( $args, $instance ) { 'cache_mode' => trim( (string) pods_v( 'cache_mode', $instance, 'none', true ) ), ); + if ( ! pods_can_use_dynamic_feature_sql_clauses() ) { + $args['orderby'] = ''; + $args['where'] = $args['where'] ? '0=1 /* Dynamic SQL clauses disabled in Pods */' : ''; + } + $content = trim( (string) pods_v( 'template_custom', $instance, '' ) ); if ( 0 < strlen( $args['name'] ) && ( 0 < strlen( $args['template'] ) || 0 < strlen( $content ) ) ) {
init.php+2 −2 modified@@ -10,7 +10,7 @@ * Plugin Name: Pods - Custom Content Types and Fields * Plugin URI: https://pods.io/ * Description: Pods is a framework for creating, managing, and deploying customized content types and fields - * Version: 3.2.8.1 + * Version: 3.2.8.2 * Author: Pods Framework Team * Author URI: https://pods.io/about/ * Text Domain: pods @@ -43,7 +43,7 @@ add_action( 'init', 'pods_deactivate_pods_ui' ); } else { // Current version. - define( 'PODS_VERSION', '3.2.8.1' ); + define( 'PODS_VERSION', '3.2.8.2' ); // Current database version, this is the last version the database changed. define( 'PODS_DB_VERSION', '2.3.5' );
package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "pods", - "version": "3.2.8.1", + "version": "3.2.8.2", "description": "Pods is a development framework for creating, extending, managing, and deploying customized content types in WordPress.", "author": "Pods Foundation, Inc", "homepage": "https://pods.io/",
readme.txt+5 −1 modified@@ -5,7 +5,7 @@ Tags: pods, custom post types, custom taxonomies, content types, custom fields Requires at least: 6.0 Tested up to: 6.7 Requires PHP: 7.2 -Stable tag: 3.2.8.1 +Stable tag: 3.2.8.2 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html @@ -182,6 +182,10 @@ Pods really wouldn't be where it is without all the contributions from our [dono == Changelog == += 3.2.8.2 - February 7th, 2025 = + +* Security: Do not allow using custom SQL clauses for Relationship fields when SQL clauses are disabled in the Pods security settings. Props to the CleanTalk / Dmitrii Ignatyev for responsibly reporting this. (@sc0ttkclark) + = 3.2.8.1 - November 22nd, 2024 = * Security: Resolve stored XSS issue with the File Upload field Add Button Text option. Props to the CleanTalk / Dmitrii Ignatyev for responsibly reporting this (their second report, they are doing good work!). (@sc0ttkclark)
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
1- wpscan.com/vulnerability/c170fb45-7ed5-40ef-99f6-8da035a23d89/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.