CVE-2024-3956
Description
The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pod Form widget in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Pods plugin for WordPress (≤3.2.1) via Pod Form widget allows contributor+ users to inject scripts.
Root
Cause
The Pods – Custom Content Types and Fields plugin for WordPress allows authenticated users to supply arbitrary attributes in the Pod Form widget. In all versions up to 3.2.1, the plugin fails to properly sanitize user input and escape output for these attributes, leading to a Stored Cross-Site Scripting (XSS) vulnerability [1].
Attack
Vector
An attacker must be an authenticated WordPress user with at least contributor-level access. By crafting a malicious attribute value in the Pod Form shortcode or block, they can inject arbitrary JavaScript or HTML. The injected payload is stored on the server and executes in the browser of any user who later accesses the affected page [1].
Impact
Successful exploitation allows the attacker to execute web scripts in the context of a victim's session. This can lead to actions such as stealing session cookies, redirecting users, or defacing content – all while the victim's browser trusts the origin of the WordPress site.
Mitigation
The vulnerability is patched in Pods 3.2.1.1. Hotfixes are also available for older supported branches (2.7, 2.8, 2.9, 3.0, and 3.1) [1]. Administrators should update their installations immediately. No workaround is provided for unpatched versions.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=3.2.1
Patches
1r3083418Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/pods/tags/3.2.1/ui/front/form.phpnvd
- plugins.trac.wordpress.org/changeset/3083418/pods/tags/3.1.4.1/includes/data.phpnvd
- plugins.trac.wordpress.org/changeset/3083418/pods/tags/3.1.4.1/ui/front/form.phpnvd
- pods.io/2024/05/08/pods-3-2-1-1-security-release/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/a0707c92-96e9-444a-8a13-52d49c9e3f5cnvd
News mentions
0No linked articles in our index yet.