Key Information Summary Vulnerability Type Stored XSS: Stored Cross-Site Scripting Reflected XSS: Reflected Cross-Site Scripting Affected Locations 1. Collections, Wishlists, and Albums: Stored XSS vulnerabilities exist when creating or editing collections, wishlists, and albums. 2. Text Field: Text fields are vulnerable if input is not properly sanitized before processing. Example Payloads Scope of Impact Author Access Only: Some XSS locations are only accessible to authors, such as reflected XSS triggered when adding new wishes or photos/albums. Impact and Risk Account Takeover: Account compromise is typically achieved via XSS-based cookie theft; however, this risk is mitigated as the session.cookie has the HttpOnly attribute. Phishing Attack: Potential for redirection to phishing sites via stored XSS using window.location payloads. Remediation Input Filtering: Filter input upon receipt. Output Encoding: Encode data before output. Reference: OWASP Cross-Site Scripting Prevention Cheat Sheet Status Update Fixed in Version 1.6.11: Vulnerability has been patched and a new version released. Closed Issue: Issue has been closed and confirmed as resolved.