Version/s Tested: 184.108.40.206 and previous
Pods is a popular custom content types and fields plugin for WordPress. In the PodsUI class, which is used to build Pods administration interfaces, the orderby SQL query is set via a GET variable, which was not properly sanitized.
At approximately Line 859 of the PodsUI class an orderby parameter, which is passed from the browser in a GET variable was subsequently used in an SQL query without being properly sanitized. The PodsUI class, which is not only used for the Pods admin, but is also employed by many end-users to create front-end and back-end content management interfaces for non-admin users.
Proof of Concept (PoC):
The following GET request will cause the SQL query to execute and sleep for 10 seconds if in any page that uses the PodsUI class:
Which will generate the following SQL Query:
SELECT DISTINCT `t`.*
FROM `wp_pods_<PODNAME>` AS `t`
ORDER BY post_date,(select * from (select(sleep(10)))a), `t`.`name`, `t`.`id`
LIMIT 0, 25
<PODNAME> must be a valid Advanced Content Type Pod
Complete compromise of the WordPress installation by an uny third-party that has access to an interface, front-end or back-end, created with PodsUI. Access to Pods Admin defaults to admin level user only, but can be changed. Custom interfaces created with PodsUI have access-levels determined on a per interface basis. They are often used to created interfaces with controlled, limited content editing capabilities.
A security release 220.127.116.11 made a change as seen in this diff: https://github.com/pods-framework/pods/commit/7eda9c183a97cc6987624f8f05d02854142d493b/?diff=split to correct the problem. All affected branches have been patched on WordPress.org and Github.
March 14th 2015 Issue found via internal review. Release and disclosure delayed due to weekend timing and awaiting response from WordPress.org security team.
March 14th 2015 WordPress.org security team notified, requesting forced update. No response as of March 16th 2015.
March 16th 2015 New version and patches released.
Vulnerability discovered and fixed by Scott Kingsley Clark, Lead Developer of Pods (Pods.io)