Philipinho
Stored XSS Vulnerability in Post Description Field
Summary: A stored cross-site scripting (XSS) vulnerability exists in the description field when creating a blog post. Unsanitized user input is rendered directly on the homepage and admin panel, allowing malicious JavaScript execution.
Steps to Reproduce:
Log in as any user.
Go to the new.php page to create a new blog post.
Enter the following data:
Title: XSS Test
Slug: xss-test
Description: <script>alert('XSS by DisclosureX')</script>
Submit the form.
Visit the homepage or admin dashboard.
Vendor of the product(s) info Philip Okugbe
Affected product(s)/code base info
Product: Simple-PHP-Blog
Version: Git commit 94b5d3e (tested August 2025)
Impact: This allows an attacker to execute JavaScript in the browser of any user who views the blog post, leading to:
Cookie/session theft
Admin takeover
Defacement
Persistent browser-based attacks
Affected Project:
GitHub repo: [Philipinho/Simple-PHP-Blog](https://github.com/Philipinho/Simple-PHP-Blog)
Affected File: new.php and post rendering logic
Tested on: Latest commit (August 2025)
Recommendation:
Use htmlspecialchars() or a templating engine that auto-escapes output.
Validate and sanitize input on both client and server side.
POC : https://drive.google.com/file/d/1el_7WQNdQs57yyxsB3u9tUDlc_JvOwhP/view?usp=sharing
Discovered by: Team DisclosureX
