Discovery Of A Stored XSS Vulnerability In BlogHub Plugin

Published on: January 27, 2024

Discovery Of A Stored XSS Vulnerability In BlogHub Plugin

A stored XSS vulnerability was discovered in BlogHub, a plugin in the CMS October. This article explores the vulnerability, its impact, and current status in detail. 


  1. BlogHub is an October CMS plugin that extends the features of its blog with promotable tags and moderatable comments. 
  2. A stored XSS vulnerability is a persistent attack that affects any user who views the infected section of the website. 
  3. A stored XSS vulnerability was discovered in the comments sections of BlogHub’s plugin.
  4. Its exploitation can result in session hijacking, unauthorized access, phishing attempts, and website defacement. 
  5. BlogHub plugin released a patched and updated version, BlogHub Plugin v1.3.9. 

What Is BlogHub Plugin?

BlogHub is a feature-rich plugin for the content management system October. The plugin features promotable tags, comment fields, custom meta fields, basic statistics, a views counter, and more. 

This plugin is specifically designed to extend the features of October’s blog plugin that is, RainLab.Blog. The latest available version for this plugin is BlogHub v 1.3.9 released on January 21st, 2024. 

What Is A Stored XSS Vulnerability? 

A stored XSS or cross-site scripting is a type of injection attack where a malicious code is directly injected into a vulnerable web application. It is also known as persistent XSS or second-order XSS. The vulnerability allows the attacker to execute malicious payloads into legitimate web applications. 

XSS vulnerabilities are one of the most common vulnerabilities detected in websites and web applications. It usually occurs when a website uses user input within the output it generates without validating or encoding it.

Attackers send malicious scripts via XSS to a vulnerable web application section. The web app, having no way of knowing that the script shouldn’t be trusted, executes it every time a user views it. Thus, resulting in the attacker gaining access to sensitive information within the user’s browser. 

What Is The Stored XSS Vulnerability Found in BlogHub?

The stored XSS vulnerability was found in the comments section of the BlogHub plugin. When a malicious XSS payload is added to the comments section, it persists and affects any user that visits the section in the CMS October’s blogs. 

What Is The Impact Of The XSS Vulnerability On Bloghub?

  1. Transmitting private data

The exploitation of the stored XSS vulnerability in the BlogHub plugin can result in the transmission of private data such as session cookies, tokens, and information to malicious actors leading to session hijacks. 

  1. Unauthorized access to accounts

Malicious payloads can be injected by attackers into the BlogHub comment section which when accessed by users could lead to unauthorized access to user accounts. 

  1. Susceptibility to phishing

Malicious hackers can create phishing pages and link them to the vulnerable comment section. This would trick users into divulging sensitive information or downloading malicious files. 

  1. The website can be defaced

Once harmful scripts are inserted into the vulnerable website, attackers can tamper with the website’s content by deleting, or editing it to manipulate users. 

What Is The Current Status Of The Stored XSS Vulnerability?

The stored XSS vulnerability was detected during a routine scan of the BlogHub plugin. The same was reported to the developers with recommendations to mitigate and patch the vulnerability and avoid its exploitation.

Based on the report provided relevant security patches were released by its developers. This was done through strict input sanitization.

What Can You Do To Mitigate The Vulnerability?

To mitigate the stored XSS vulnerability and its possible impact, it is necessary to update your BlogHub plugin to the latest version released on January 21st, 2024, BlogHub plugin v1.3.9. This version has the relevant security patches to secure your website from this vulnerability. 

Nivedita James Palatty

Nivedita is a technical writer with Astra who has a deep love for knowledge and all things curious in nature. An avid reader at heart she found her calling writing about SEO, robotics, and currently cybersecurity.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany