Skip to main content

Pods CVE-2026-54191

| EUVD-2026-37053 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-16 Patchstack GHSA-c45f-2556-9gh3
XSS Pods
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable unauthenticated XSS (PR:N, AV:N, AC:L) requiring victim click (UI:R); injected script crosses into the WordPress admin context (S:C) with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 10:22 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions.

AnalysisAI

Unauthenticated reflected/stored cross-site scripting in the Pods WordPress plugin (versions 3.3.8 and earlier) allows remote attackers to inject malicious script that executes in a victim's browser when they visit a crafted page or link. The flaw requires user interaction (UI:R) and carries a scope change (S:C), letting injected payloads steal session data or perform privileged actions in the WordPress admin context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Pods <= 3.3.8 target
Delivery
Craft malicious XSS payload URL
Exploit
Phish WordPress admin victim
Execution
Victim browser loads payload
Persist
Script executes in WP origin
Impact
Hijack session or create rogue admin
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the target WordPress site to have the Pods plugin installed at version 3.3.8 or earlier, (2) the vulnerable Pods endpoint to be reachable by the unauthenticated attacker over the network (PR:N, AV:N), and (3) a victim - typically an authenticated WordPress user or administrator - to interact with attacker-controlled content such as a malicious link or page (UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) reflects a network-reachable, low-complexity, unauthenticated bug whose impact depends on a victim clicking a crafted link or visiting an attacker-controlled page (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or web page containing a malicious payload that triggers the unsanitized Pods endpoint, then phishes a WordPress administrator into clicking it via email, social media, or a comment link. When the admin's browser renders the response, the injected JavaScript runs in the WordPress origin and can exfiltrate session cookies, create a rogue admin account via the REST API, or pivot to full site takeover. …
Remediation Upgrade the Pods plugin to a version newer than 3.3.8 once a fixed release is published by the maintainers - patch status in the supplied data is unclear, so this should be characterized as 'Upstream fix availability not independently confirmed; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/pods/vulnerability/wordpress-pods-plugin-3-3-8-cross-site-scripting-xss-vulnerability for the current fixed version.' In the interim, deploy a WAF rule (Patchstack, Wordfence, or equivalent) to filter XSS payloads targeting Pods endpoints, restrict access to the affected plugin pages via IP allow-listing where feasible (side effect: blocks legitimate remote contributors), enforce strict Content Security Policy headers on the WordPress site to reduce script execution impact (side effect: may break inline scripts in themes), and require administrators to log out of WordPress before browsing untrusted links. Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all WordPress installations running Pods plugin ≤3.3.8; assess whether plugin functionality is critical to operations; disable or isolate the plugin if not essential. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54191 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy