Pods – Custom Content Types and Fields < 3.2.8.1 - Admin+ Stored XSS

Vulnerability

The Pods – Custom Content Types and Fields plugin for WordPress, versions before 3.2.8.1, fails to sanitize and escape some of its settings. This allows high-privilege users (e.g., administrators) to inject arbitrary JavaScript into the database via the plugin's settings interface [1]. The vulnerability is particularly impactful in multisite installations where the unfiltered_html capability is normally disallowed for non-super-admin users [1].

Exploitation

An attacker must have administrative access to the WordPress site (or equivalent high-privilege role). The attacker navigates to the Pods plugin settings and injects a malicious payload (e.g., ``) into an unsanitized setting field. The payload is stored server-side and later rendered without proper escaping, causing it to execute in the browser of any user (including other admins and visitors) who views the affected settings page [1].

Impact

Successful exploitation leads to Stored Cross-Site Scripting (XSS). The attacker can execute arbitrary JavaScript in the context of other users' sessions, potentially stealing cookies, session tokens, or performing actions on behalf of the victim. Because the vulnerability is stored, every page load that displays the affected settings triggers the payload. The attack bypasses the unfiltered_html restriction that is intended to prevent XSS by non-super-admin users in multisite networks [1].

Mitigation

The vulnerability is fixed in Pods version 3.2.8.1, released in December 2024 [1]. Administrators should update the plugin to this version or later. There is no known workaround other than applying the patch. The plugin's update log should be monitored for any future patches.