# Exploit Title: LEPTON 7.4.0 - Stored Cross-Site Scripting (XSS)  
# Exploit Author: tmrswrr / Hulya KARABAG  
# Vendor Homepage: https://lepton-cms.org/  
# Software Link: https://lepton-cms.org/media/download_gallery/LEPTON_stable_7.4.0.zip  
# Version: LEPTON 7.4.0 stable  
# Date: October 29, 2025  
 

#### Vulnerability Description  

LEPTON CMS version 7.4.0 contains a stored Cross-Site Scripting (XSS) vulnerability that allows authenticated administrators to inject and execute arbitrary JavaScript code through the Droplets functionality. This vulnerability arises from improper output encoding and lack of content security controls within the Droplets feature execution.  

#### Proof of Concept  

## Prerequisites  
- Valid administrator credentials  
- Access to the LEPTON CMS administrative interface  

#### Exploitation Steps  

1. Authentication  
   - Log into the LEPTON CMS administration panel with administrator privileges  

2. Access Droplets Management  
   - Navigate to: Menu > Administration > Admin-Tools  
   - Select the "Droplets" option  

3. Create Malicious Droplet  
   - Click "Create New"  
   - Enter a droplet name (e.g., xss-droplet)  
   - In the code field, insert the XSS payload: 
    
     echo "<script>alert('XSS!!')</script>";  
     
   - Click "Save and Back" to store the droplet  

4. Trigger Execution  
   - Edit or create any page within the CMS  
   - In the content editor, insert the droplet using the syntax:  
     [[xss-droplet]]  
   - Save the page modifications  

5. Verify Exploitation  
   - Preview or visit the modified page  
   - The JavaScript alert box will be displayed, confirming successful XSS execution  
   - Any user visiting the affected page will execute the injected script