Summary
Vulnerability: Stored DOM XSS via Posts Added to Menu (Persistent Payload Injection)
- Stored Cross-Site Scripting via Unsafe Rendering of Post Entries in Menu Management
Description
The application fails to properly sanitize user-controlled input when adding Posts to navigation menus through the Menu Management functionality. Post-related data selected via the Posts section is stored server-side and rendered without proper output encoding.
These stored values are later rendered unsafely within administrative dashboards and public-facing navigation menus, resulting in stored DOM-based cross-site scripting (XSS).
Affected Functionality
- Menu Management – Posts section
- Adding posts to navigation menus
- Menu storage and rendering logic
Attack Scenario
- An attacker creates or controls a post containing a malicious JavaScript payload.
- The attacker adds the post to the menu using the Posts functionality in Menu Manager.
- The application stores the menu entry without sanitization or encoding.
- The payload persists and executes whenever the menu is rendered.
Impact
- Persistent Stored DOM XSS
- Execution of arbitrary JavaScript in victims’ browsers
- Privilege escalation in administrative contexts
- Full administrator account takeover
- Full account takeover across all roles
- Full compromise of the entire application via global navigation execution
Endpoint:
Steps To Reproduce (POC)
- Navigate to Menu Management
- Use the Posts section to add a post containing an XSS payload such as:
<img src=x onerror=alert(document.domain)>
- Save the menu
- View the menu in the administrative panel or any public-facing page
- Observe the JavaScript payload executing automatically
Remediation
- Avoid unsafe DOM manipulation methods: Do not use
.html(), innerHTML, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing...