Cross-site Scripting (XSS) - Stored in typecho/typecho


Reported on

May 31st 2021


Stored xss against higher level user


I see there is no xss protection in post writing ,allow to execute javascript command .
There is many type of role like admin,contributor etc .
So, here contributor user can write a post with xss payload and when admin open this post then xss is executed under admin account .
So, contributor can make arbitary javascript code execution in admin account and as he can execute any javascript then contributor can change his role to admin .
Or contributor can change admin password or update email address or steal session cookie etc .


1. From admin account goto http://localhost/typecho-master/admin/manage-users.php and add a new user called user-B with contributor role .
Contributor can write a post here .\

2. Now goto user-B account and write a post with bellow xss payload as post content and save it .

xss"'><img src=x onerror=alert(document.cookie)>

now lets assume the post id is 4 .

3. Now whenever admin try to edit this post then xss is fired and javascript code will be executed in victim account .
So, if admin try to edit this post using url like http://localhost/typecho-master/admin/write-post.php?cid=4 then xss is executed .


There are many way to prevent xss attack like.
You may use any sanitization library HTML-Purifier,dompurify or use urlencode(),htmlspecialchars() function .\


Jamie Slome
2 years ago


I have contacted the maintainer via a GitHub Issue and will await their response.

Jamie Slome validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome marked this as fixed with commit 4861a4 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation