Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

PHPMyWind has Reflected Cross-Site Scripting Vulnerability Description

Testing Target


An issue was discovered in PHPMyWind 5.5. The username parameter of the /install/index.php page has a stored Cross-site Scripting (XSS) vulnerability.


  1. We download the latest version from the official website and build default environment.

  2. In the set steps, we can use BurpSuite to bypass the username check mechanism and insert XSS payload as the admin username.

  3. Now go back to admin login pages, same using BurpSuite change username to login.

  4. That's a great result.

You can’t perform that action at this time.