[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fttnl8NAwcf6hRG_3SfJZCFxDGvhIAe2qaWm6mYw9f5U":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-54191","pods-custom-content-types-and-fields-unauthenticated-stored-cross-site-scripting","Pods – Custom Content Types and Fields \u003C= 3.3.8 - Unauthenticated Stored Cross-Site Scripting","The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","pods",null,"\u003C=3.3.8","3.3.9","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-15 00:00:00","2026-06-23 15:45:19",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa57d218c-0aee-4764-9496-065e71448a9b?source=api-prod",9,[22,23,24,25,26,27],"changelog.txt","includes\u002Fgeneral.php","init.php","readme.txt","ui\u002Fadmin\u002Fcomponents-admin.php","ui\u002Fforms\u002Fform.php","researched",false,3,"Sorry, I cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or specific attack chains for vulnerabilities. For information on securing WordPress plugins against vulnerabilities like Stored Cross-Site Scripting (XSS), I recommend searching for security practices online, such as the WordPress Plugin Handbook's section on \"Security\" or the OWASP Top 10 guidelines for \"Injection\" and \"Cross-Site Scripting.\"","The Pods plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient output escaping of URLs and variables within script blocks. Unauthenticated attackers can exploit this by submitting malicious payloads through public-facing forms that are later executed in the context of other users or administrators when they interact with form redirects or UI components.","\u002F\u002F includes\u002Fgeneral.php line 2812\necho '\u003Cscript type=\"text\u002Fjavascript\">' . 'document.location = \"' . esc_attr( str_replace( '&amp;', '&', esc_js( $location ) ) ) . '\";' . '\u003C\u002Fscript>';\n\n---\n\n\u002F\u002F ui\u002Fadmin\u002Fcomponents-admin.php line 138\nvar pods_admin_submit_callback = function ( id ) {\n\tdocument.location = '\u003C?php echo esc_url_raw( pods_query_arg( array( 'do' => 'save' ) ) ); ?>';\n}\n\n---\n\n\u002F\u002F ui\u002Fforms\u002Fform.php line 227\n\u003Cscript type=\"text\u002Fjavascript\">\n\tif ( 'undefined' == typeof ajaxurl ) {\n\t\tvar ajaxurl = '\u003C?php echo esc_url_raw( admin_url( 'admin-ajax.php' ) ); ?>';\n\t}\n\n---\n\n\u002F\u002F ui\u002Fforms\u002Fform.php line 236\nvar pods_admin_submit_callback = function ( id ) {\n\tdocument.location = '\u003C?php echo esc_url_raw( pods_query_arg( array( 'do' => $do ) ) ); ?>';\n}\n\n---\n\n\u002F\u002F ui\u002Fforms\u002Fform.php line 240\nvar pods_admin_submit_callback = function ( id ) {\n\tid = parseInt( id, 10 );\n\tvar thank_you = '\u003C?php echo esc_url_raw( $thank_you ); ?>';\n\tvar thank_you_alt = '\u003C?php echo esc_url_raw( $thank_you_alt ); ?>';","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpods\u002F3.3.8\u002Fincludes\u002Fgeneral.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpods\u002F3.3.9\u002Fincludes\u002Fgeneral.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpods\u002F3.3.8\u002Fincludes\u002Fgeneral.php\t2026-02-25 14:19:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpods\u002F3.3.9\u002Fincludes\u002Fgeneral.php\t2026-05-29 15:26:06.000000000 +0000\n@@ -2809,7 +2809,7 @@\n \t\t\tdie();\n \t\t}\n \t} else {\n-\t\techo '\u003Cscript type=\"text\u002Fjavascript\">' . 'document.location = \"' . esc_attr( str_replace( '&amp;', '&', esc_js( $location ) ) ) . '\";' . '\u003C\u002Fscript>';\n+\t\techo '\u003Cscript type=\"text\u002Fjavascript\">document.location = ' . json_encode( $location ) . ';\u003C\u002Fscript>';\n \t\tif ( $die ) {\n \t\t\tdie();\n \t\t}\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpods\u002F3.3.8\u002Fui\u002Fadmin\u002Fcomponents-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpods\u002F3.3.9\u002Fui\u002Fadmin\u002Fcomponents-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpods\u002F3.3.8\u002Fui\u002Fadmin\u002Fcomponents-admin.php\t2026-02-25 00:14:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpods\u002F3.3.9\u002Fui\u002Fadmin\u002Fcomponents-admin.php\t2026-05-29 15:26:06.000000000 +0000\n@@ -135,6 +135,6 @@\n \t} );\n \n \tvar pods_admin_submit_callback = function ( id ) {\n-\t\tdocument.location = '\u003C?php echo esc_url_raw( pods_query_arg( array( 'do' => 'save' ) ) ); ?>';\n+\t\tdocument.location = \u003C?php echo json_encode( esc_url_raw( pods_query_arg( array( 'do' => 'save' ) ) ) ); ?>;\n \t}\n \u003C\u002Fscript>\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpods\u002F3.3.8\u002Fui\u002Fforms\u002Fform.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpods\u002F3.3.9\u002Fui\u002Fforms\u002Fform.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpods\u002F3.3.8\u002Fui\u002Fforms\u002Fform.php\t2026-02-25 00:14:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpods\u002F3.3.9\u002Fui\u002Fforms\u002Fform.php\t2026-05-29 15:26:06.000000000 +0000\n@@ -224,7 +224,7 @@\n \n \u003Cscript type=\"text\u002Fjavascript\">\n \tif ( 'undefined' == typeof ajaxurl ) {\n-\t\tvar ajaxurl = '\u003C?php echo esc_url_raw( admin_url( 'admin-ajax.php' ) ); ?>';\n+\t\tvar ajaxurl = \u003C?php echo json_encode( esc_url_raw( admin_url( 'admin-ajax.php' ) ) ); ?>;\n \t}\n \n \tif ( 'undefined' == typeof pods_form_thank_you ) {\n@@ -233,13 +233,13 @@\n \n \t\u003C?php if ( $is_settings_pod ) : ?>\n \t\tvar pods_admin_submit_callback = function ( id ) {\n-\t\t\tdocument.location = '\u003C?php echo esc_url_raw( pods_query_arg( array( 'do' => $do ) ) ); ?>';\n+\t\t\tdocument.location = \u003C?php echo json_encode( esc_url_raw( pods_query_arg( array( 'do' => $do ) ) ) ); ?>;\n \t\t}\n \t\u003C?php else : ?>\n \t\tvar pods_admin_submit_callback = function ( id ) {\n \t\t\tid = parseInt( id, 10 );\n-\t\t\tvar thank_you = '\u003C?php echo esc_url_raw( $thank_you ); ?>';\n-\t\t\tvar thank_you_alt = '\u003C?php echo esc_url_raw( $thank_you_alt ); ?>';\n+\t\t\tvar thank_you = \u003C?php echo json_encode( esc_url_raw( $thank_you ) ); ?>;\n+\t\t\tvar thank_you_alt = \u003C?php echo json_encode( esc_url_raw( $thank_you_alt ) ); ?>;","To exploit this vulnerability, an attacker identifies a Pods-managed form (e.g., a frontend submission form) that allows specifying a redirect URL or stores a field value that is later rendered within a JavaScript context. By submitting a payload containing a 'javascript:' URI or a string designed to break out of a single-quoted JavaScript literal (such as \"'; alert(1);\u002F\u002F\"), the attacker can inject arbitrary scripts. Because the plugin uses functions like esc_url_raw() or esc_js() inside manually constructed single-quoted strings rather than using json_encode(), the payload can successfully bypass sanitization and execute when the form processes a submission or when a user\u002Fadmin views the affected page.","gemini-3-flash-preview","2026-06-26 00:03:59","2026-06-26 00:05:12",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","3.3.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpods\u002Ftags\u002F3.3.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpods.3.3.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpods\u002Ftags\u002F3.3.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpods.3.3.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpods\u002Ftags"]