Textpattern CMS version 4.9.0 contains a second‑order cross‑site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user‑supplied input in Atom feed XML elements. Unescaped payloads can be embedded in parameters such as category, which are later reflected into Atom fields that are rendered by feed readers or CMS aggregators. When clients process these feeds and insert the content into the DOM using unsafe methods, the malicious JavaScript is executed, potentially compromising user accounts, stealing credentials, or delivering further malware. The weakness is a classic instance of unsanitized input with persistent context leading to client‑side script execution.

The vulnerability affects Textpattern CMS, specifically the 4.9.0 release. No additional affected versions were listed in the available data. Users running this exact version should verify whether the Atom feed generation or rendering components include the vulnerable logic and consider upgrading to a later release when available.

The CVSS score of 5.1 places this issue in a moderate risk range, indicating that while exploitation does not grant arbitrary code execution on the server, it can cause significant client‑side damage. EPSS information is not available, so the exact likelihood of exploitation in the wild cannot be quantified. The vulnerability is not present in the CISA KEV catalog, suggesting that there are no reports of active exploitation as of now. However, because the attack can be performed remotely via crafted feed content, an attacker who can influence the feed data (for example, by creating a new category or posting through the CMS interface) could potentially exploit the flaw. The likely attack vector is remote client‑side; the prerequisite is that an external actor can inject content that will later be consumed by a third‑party feed reader or aggregator.