GHSA-7j46-f57w-76pj: Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags

Summary

Inserting unsanitized data into the blog tag field in Formwork CMS results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. Because the issue is persistent and impacts privileged administrative workflows, the severity is elevated.

Details

Formwork CMS fails to properly sanitize data inserted into tags, before saving them and rendering them into the edit blog interface. When a specially crafted tag becomes saved as a tag into the system, it is unable to be removed. Any attempt to remove the tag from the affected post, causes the XSS to trigger once again.

Additionally, once the malicious tag is present, managing standard tags becomes impossible. This is due to script execution on attempted modification. This leads to a form of interface lockout where the payload continually reinserts itself due to the stored, unsafe rendering.

PoC

1. Log into the CMS as any user.

2. Select “pages” <img width="179" height="354" alt="image" src="https://github.com/user-attachments/assets/1d96449c-cc48-45bd-9d66-e6b3068edbfe" />

3. Select any page utilizing the “Blog Post” template. In this scenario I use the default “Coffee, Mornings and Ideas” page. <img width="841" height="96" alt="image" src="https://github.com/user-attachments/assets/6c22bbbf-654d-449d-ab21-0443a12510de" />

4. Insert the malicious payload: <img width="872" height="202" alt="image" src="https://github.com/user-attachments/assets/a8c1af89-5c71-425d-8beb-c1e21a336440" />

5. Select Save. <img width="960" height="430" alt="image" src="https://github.com/user-attachments/assets/956182a6-d91e-4ae1-9b8c-cee60f452b3f" />

Impact

This is a stored cross‑site scripting (XSS) vulnerability.

This impacts all users who access the affected blog post’s edit page.