The vulnerability appears in line 27 of QCMS/upload/System/Controller/guest.php
$result = $this->_guestObj->insert(array('title' => $_POST['title'], 'name' => $_POST['name'], 'email' => $_POST['email'], 'content' => $_POST['content'], 'addtime' => time()));
The null value is only judged on the submitted content, so the attacker can insert XSS statements.
After submitting, it is found that the front end only displays the title, name, and content parameters. The backend shows the title, name, and email parameters: