CVE-2026-54191
Received Received - Intake
Unauthenticated XSS in Pods Plugin

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Patchstack

Description
Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-54191
EUVD
EUVD-2026-37053
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pods pods to 3.3.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WordPress Pods Plugin, versions up to and including 3.3.8, contains a Cross Site Scripting (XSS) vulnerability. This means attackers can inject malicious scripts into the website, which are then executed when visitors access the site.

Exploitation requires a privileged user to perform an action such as clicking a malicious link or submitting a form, which then allows the attacker to execute scripts like redirects or advertisements on the site.

This vulnerability has a medium priority with a CVSS score of 7.1 and is patched in version 3.3.9.

Impact Analysis

This vulnerability can lead to attackers injecting malicious scripts into your website, which can execute unwanted actions such as redirecting visitors to malicious sites or displaying unauthorized advertisements.

Because the vulnerability can be exploited in mass campaigns targeting thousands of websites, it poses a significant risk to website integrity and user trust.

Successful exploitation requires a privileged user interaction, but once exploited, it can compromise confidentiality, integrity, and availability of the affected site.

Detection Guidance

This vulnerability affects WordPress sites running the Pods Plugin version 3.3.8 or earlier. Detection involves verifying the plugin version installed on your WordPress site.

You can check the Pods plugin version by accessing your WordPress admin dashboard under Plugins, or by running commands on the server hosting the site.

  • Use WP-CLI to check the plugin version: wp plugin list | grep pods
  • Check the plugin version in the plugin's main PHP file, usually located at wp-content/plugins/pods/pods.php, by running: grep 'Version' wp-content/plugins/pods/pods.php

Additionally, monitoring for suspicious script injections or unexpected redirects in website traffic logs or web application firewall alerts may help detect exploitation attempts.

Mitigation Strategies

The primary and most effective mitigation step is to update the Pods plugin to version 3.3.9 or later, where the vulnerability is patched.

Until the update can be applied, Patchstack has issued a mitigation rule that can be used to block attacks targeting this vulnerability.

  • Update the Pods plugin to version 3.3.9 or newer immediately.
  • Apply the Patchstack mitigation rule to block attack attempts.
  • Monitor your website for any signs of malicious script injections or unusual behavior.
Compliance Impact

The provided information does not specify how the Cross Site Scripting (XSS) vulnerability in the Pods plugin affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54191. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart