{“lastseen”:”2025-12-23T17:15:28″,”description”:”Textpattern CMS version 4.9.0 contains a persistent cross site scripting vulnerability in the administrative interface. The vulnerability allows authenticated attackers with administrative privileges to inject malicious JavaScript payloads into site…”,”published”:”2025-12-23T00:00:00″,”modified”:”2025-12-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Textpattern 4.9.0 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:213262″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# Exploit Title: Textpattern CMS 4.9.0 – Stored Cross-Site Scripting (XSS)\\n in Preferences\\n # Date: 2025-12-22\\n # Exploit Author: tmrswrr\\n # Vendor Homepage: https:\/\/textpattern.com\/\\n # Software Link:\\n https:\/\/textpattern.com\/file_download\/124\/textpattern-4.9.0.zip\\n # Version: 4.9.0\\n # Tested on: Apache\/2.4.65, PHP 7.4.33, MariaDB 10.5.28\\n \\n \\n ## Description:\\n Textpattern CMS version 4.9.0 contains a stored Cross-Site Scripting (XSS)\\n vulnerability in the administrative interface. The vulnerability allows\\n authenticated attackers with administrative privileges to inject malicious\\n JavaScript payloads into site preferences ( \\”Site URL\\” field ), which are\\n then executed when any user visits the frontend of the website.\\n \\n \\n ## Proof of Concept:\\n \\n ### Step 1: Login to Admin Panel\\n 1. Navigate to: `http:\/\/target.com\/textpattern\/`\\n 2. Login with administrator credentials (default: admin\/password)\\n \\n ### Step 2: Access Preferences\\n 1. Click on \\”Admin\\” in the top navigation\\n 2. Select \\”Preferences\\” from the dropdown menu\\n 3. Navigate to the \\”Site\\” tab\\n \\n ### Step 3: Inject XSS Payload\\n In the \\”Site URL\\” field, insert the XSS payload:\\n \\n \\”\\u003e\\u003cscript\\u003ealert(‘1’);\\u003c\/script\\u003e”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213262″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/213262\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-23T17:15:28″,”description”:”Textpattern CMS version 4.9.0 contains a persistent cross site scripting vulnerability in the administrative interface. The vulnerability allows authenticated attackers with administrative privileges to inject…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-32551","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n