Information about backdoor in Pods 3.2.3?

Wow they seriously posted that? I’m really surprised they did because that information is wrong.

TLDR: Pods is safe and was never in danger of being fully impacted by the www.remarpro.com plugin hacks that were attempted in mass a few weeks ago.

Pods was impacted by an attempt to release an infected version but that was thwarted by our extra security precautions around our plugin release process.

They took over one of our www.remarpro.com committer accounts but were unable to compete the release.

Wordfence explains the situation here on their blog: https://www.wordfence.com/blog/2024/06/3-more-plugins-infected-in-wordpress-org-supply-chain-attack-due-to-compromised-developer-passwords/

The impacted code was removed from SVN and prior to that was never even released as downloadable ZIPs to any WordPress site through manual installs or automatic updates.

I’ll have to contact Patchstack. Now we’ll have to skip the Pods 3.2.3 version number to prevent more confusion but that’s easy enough.

Wordfence fumbled here and listed Pods along with the other impacted versions originally. I contacted them when the post was published and had them update the post but they did not update the vulnerability page that linked to Pods as being impacted. That got picked up by Patchstack and possibly other sites.

I’ve contacted Wordfence about the issue too.

Hi Scott

Thank you for your comprehensive reply. This makes things much more clear and understandable for us Pods users. Good to know that we are safe with our current version 3.2.2.

Best,
Martin

Hi Scott and all
I must say thank you ; the release confirmation set up protected us it seems.
It is a big big work to maintain a plugin so I think it is good to have nice words from time to time and not only feed back when it is not working ^^