| Title | code-projects Easy Blog Site In PHP 1.0 Cross Site Scripting |
|---|
| Description | A Stored Cross-Site Scripting (XSS) vulnerability exists in the Easy Blog Site in PHP within the post update functionality.
The vulnerability occurs in the following endpoint:
/blog/posts/update.php
The application processes user-controlled input via HTTP POST parameters when updating blog posts. The postTitle parameter is directly accepted from user input and stored in the backend database without proper validation or sanitization.
Because the stored value is later rendered in the blog interface without applying output encoding, malicious HTML or JavaScript code can be executed in the browser of users who view the affected post.
During testing, it was confirmed that injecting a malicious payload into the postTitle parameter results in persistent script execution.
payload used:
<details/open/ontoggle=prompt(origin)>
Once the post is updated, the payload is saved in the database and executed whenever the post is viewed.
This confirms that the vulnerability is a Stored (Persistent) Cross-Site Scripting issue. |
|---|
| Source | ⚠️ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Stored%20Cross-Site%20Scripting%20(XSS)%20in%20Easy%20Blog%20Site%20PHP%20postTitle%20Parameter.md |
|---|
| User | AhmadMarzook (UID 96211) |
|---|
| Submission | 03/24/2026 13:01 (16 days ago) |
|---|
| Moderation | 04/08/2026 16:39 (15 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 356244 [code-projects Easy Blog Site 1.0 /posts/update.php postTitle cross site scripting] |
|---|
| Points | 20 |
|---|