We found results for “


Date: June 21, 2021


In Pods WordPress Plugin, versions to 2.7.26 are vulnerable to Stored Cross-Site Scripting (XSS) due to user input not being validated properly in the `Singular Label` field parameter. An authenticated attacker could inject malicious code into the input field before rendering it in the web page.


The WordPress `Pods - Custom Content Types and Fields` plugin can be abused by Stored Cross-Site Scripting vulnerability since the plugin performs improper validation of the input sent to the `Singular Label` field parameter value before rendering it in the web page. Due to this flaw, an authenticated attacker can cause Stored Cross-Site Scripting.

PoC Details

On a Wordpress application with `pods` plugin installed and activated, you will find a `pods admin` option in the left side menu bar. Click on this option, then click on `Add New` -> `Create New`. Select `Content Type` as `Custom Post Type` from the drop-down menu and place the given payload in `Singular Label` text field, and fill the remaining fields. Click on `Next Step` and the given payload gets executed and an alert box will appear. This payload will get executed when you open the pods page.

PoC Code


Affected Environments


Upgrade to 2.7.27

Language: PHP

Good to know:


Cross-Site Scripting (XSS)


Upgrade Version

Upgrade to version 2.7.27

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): Single
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information: