In Pods WordPress Plugin, versions 220.127.116.11 to 2.7.26 are vulnerable to Stored Cross-Site Scripting (XSS) due to user input not being validated properly in the `Menu Label` field parameter. An authenticated attacker could inject malicious code into the input field before rendering it in the web page.
The WordPress `Pods - Custom Content Types and Fields` plugin can be abused by Stored Cross-Site Scripting vulnerability since the plugin performs improper validation of the input sent to the `Menu Label` field parameter value before rendering it on the web page. Due to this flaw, an authenticated attacker can cause Stored Cross-Site Scripting.
On a Wordpress application with `pods` plugin installed and activated, you will find a `pods admin` option in the left side menu bar. Click on this option, then click on `Add New` -> `Create New`. Select `Content Type` as `Custom Setting Page` from the drop-down menu and place the given payload in `Menu Label` text field, and fill the remaining fields. Click on `Next Step` and the given payload gets executed and an alert box will appear. This payload will get executed when you open the pods page.
Upgrade to 2.7.27