# Exploit Title: Textpattern CMS 4.9.0 - Stored Cross-Site Scripting (XSS)
in Preferences
# Date: 2025-12-22
# Exploit Author: tmrswrr
# Vendor Homepage: https://textpattern.com/
# Software Link:
https://textpattern.com/file_download/124/textpattern-4.9.0.zip
# Version: 4.9.0
# Tested on: Apache/2.4.65, PHP 7.4.33, MariaDB 10.5.28


## Description:
Textpattern CMS version 4.9.0 contains a stored Cross-Site Scripting (XSS)
vulnerability in the administrative interface. The vulnerability allows
authenticated attackers with administrative privileges to inject malicious
JavaScript payloads into site preferences ( "Site URL" field ), which are
then executed when any user visits the frontend of the website.


## Proof of Concept:

### Step 1: Login to Admin Panel
1. Navigate to: `http://target.com/textpattern/`
2. Login with administrator credentials (default: admin/password)

### Step 2: Access Preferences
1. Click on "Admin" in the top navigation
2. Select "Preferences" from the dropdown menu
3. Navigate to the "Site" tab

### Step 3: Inject XSS Payload
In the "Site URL" field, insert the XSS payload:

 "><script>alert('1');</script>