How is CVE-2026-54191 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the web service to deliver a malicious payload. Authentication (not-required): No account or credentials are needed; the vulnerability is exploitable by any unauthenticated party. Victim interaction (required): A victim must follow a crafted link or visit a malicious page, making social engineering a necessary step in the attack chain. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environment-specific factors.

What is the impact of CVE-2026-54191?

An attacker can execute arbitrary JavaScript in the victim's browser session, enabling theft of session cookies or authentication tokens. Injected scripts can read and exfiltrate data visible in the victim's browser context, including page content and form inputs. The attacker can silently modify the rendered page, redirecting users or presenting fraudulent content. The scope is marked as Changed in the CVSS vector, meaning impact can extend beyond the vulnerable component to other browser-origin resources the victim's session can reach.

Back to search

HIGHCVE-2026-54191Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-54191: WordPress Pods plugin <= 3.3.8 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-54191?

This is a reflected or stored cross-site scripting (XSS) vulnerability in the Pods Framework WordPress plugin, versions 3.3.8 and earlier. The flaw is reachable over the network without any authentication, but it requires a victim to interact with a malicious link or page, as indicated by the CVSS vector. Successful exploitation allows an attacker to inject and execute arbitrary JavaScript in the victim's browser, enabling session token theft, page content manipulation, and limited disruption of the affected service. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as a fix version is published upstream.

Q: Is CVE-2026-54191 patched?

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory on every ingest cycle, typically within minutes of any update. The moment a patched version is released, a rebuilt image becomes available; for customers with auto-remediation enabled, that triggers an automatic rebuild, regression-test run, and a PR opened against affected workloads.

Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a reflected or stored cross-site scripting (XSS) vulnerability in the Pods Framework WordPress plugin, versions 3.3.8 and earlier. The flaw is reachable over the network without any authentication, but it requires a victim to interact with a malicious link or page, as indicated by the CVSS vector. Successful exploitation allows an attacker to inject and execute arbitrary JavaScript in the victim's browser, enabling session token theft, page content manipulation, and limited disruption of the affected service. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as a fix version is published upstream.

HarborGuard Coverage

Detection

Detection for CVE-2026-54191 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images in connected registries and CI/CD pipelines. Coverage extends to custom-built images that bundle the Pods plugin directly.

Available

Triage

HarborGuard scores this finding at CVSS 7.1 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Triage-ready alerts are available for delivery to the appropriate team inbox within each customer organization, with exploitability context included.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory on every ingest cycle, typically within minutes of any update. The moment a patched version is released, a rebuilt image becomes available; for customers with auto-remediation enabled, that triggers an automatic rebuild, regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the web service to deliver a malicious payload.
AuthenticationNot required
No account or credentials are needed; the vulnerability is exploitable by any unauthenticated party.
Victim interactionRequired
A victim must follow a crafted link or visit a malicious page, making social engineering a necessary step in the attack chain.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environment-specific factors.

Blast Radius

An attacker can execute arbitrary JavaScript in the victim's browser session, enabling theft of session cookies or authentication tokens.
Injected scripts can read and exfiltrate data visible in the victim's browser context, including page content and form inputs.
The attacker can silently modify the rendered page, redirecting users or presenting fraudulent content.
The scope is marked as Changed in the CVSS vector, meaning impact can extend beyond the vulnerable component to other browser-origin resources the victim's session can reach.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet for CVE-2026-54191, HarborGuard monitors the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Pods Framework publishes a fix. In the interim, customers can use HarborGuard's network-policy recommendations to restrict public-facing exposure of WordPress admin and plugin endpoints, apply egress filtering to limit what injected scripts can reach, and use feature-flag or plugin-disablement controls where the Pods plugin is not strictly required. For customers with auto-remediation enabled, the full rebuild-plus-PR flow activates as soon as a fix version is detected, with a median time from CVE publication to merged patch PR for high-severity issues of around 90 minutes in qualifying environments.

See how HarborGuard automates this

Affected packages

Pods Framework / Pods
≤ 3.3.8

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified