Summary
Vulnerability: Stored DOM XSS via Page Management Fields (Persistent Payload Injection)
- Stored Cross-Site Scripting via Unsanitized Page Creation and Editing Inputs
Description
The application fails to properly sanitize user-controlled input within the Page Management functionality when creating or editing pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side.
These stored values are later rendered without proper output encoding across administrative page lists and public-facing page views, leading to stored DOM-based cross-site scripting (XSS).
Affected Functionality
- Page creation functionality
- Page editing functionality
- Page list and management views
- Public-facing page rendering
- Storage and retrieval of page-related data
Affected Fields
- Title
- URL
- Content
- Cover Image
- Image URL
- Image Width
- Image Height
- SEO Description
- SEO Keywords
Attack Scenario
- An attacker creates or edits a page and injects a malicious XSS payload into one or more page-related input fields.
- The application stores these values without sanitization or encoding.
- The payload is rendered in administrative page lists and public-facing page views.
- The payload executes automatically in the browser context of administrators, authenticated users, and unauthenticated visitors.
Impact
- Persistent Stored XSS
- Execution of arbitrary JavaScript in victims’ browsers
- Privilege escalation when viewed by administrators or privileged users
- Full administrator account takeover
- Full account takeover across all roles
- Full compromise of the entire application
Endpoints:
/backend/pages/create- Page list management view
- Public-facing page views
Steps To Reproduce (POC)
- Navigate to the Page Management -> Add Page interface
- Insert an XSS payload into any page-related field such as:
<img src=x onerror=alert(document.domain)>
- Save or publish the page
- View...