When admins create a FAQ News they can pass xss to the “text of the record” section
1.Login to admin account
2.In the CONTENT section, click on FAQ News
3.Add any type of source code and notice select Faq status as published
4.Turn on intercept with burp and click save
5.We change the parameter answer=…<code>payload</code>… and press forward
<iframe srcdoc='<body onload=prompt(1)>'>
6.Go to user account demo
7.On the homepage of the search section
xss will trigger
https://drive.google.com/file/d/1wFY-7Yh_vhcbdyApXo_iv7elbi57WXI9/view?usp=sharing