Cross-site Scripting (XSS) - Stored in forkcms/forkcms


Reported on

Oct 20th 2021


When uploading a new theme, the description of a theme can contain JavaScript code. This can be used for Cross-Site-Scripting.

Proof of Concept

  • I downloaded the Kompact theme (, extracted it and changed in info.xml the description part to:
  • After adjusting info.xml, I packed all files back into a zip file and uploaded it in ForkCMS.

  • When the user opens the "Details" page of the theme, the JavaScript code (th alert) will be executed.


  • Executing any JavaScript an attacker could think of. By default, it is used to steal session cookies.


We have contacted a member of the forkcms team and are waiting to hear back 7 months ago
Jelmer Prins validated this vulnerability 7 months ago
starkitsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jelmer Prins
2 months ago

fix is currently in review

Jelmer Prins confirmed that a fix has been merged on 981730 2 months ago
Jelmer Prins has been awarded the fix bounty
Model.php#L903 has been validated
to join this conversation