# Exploit Title: Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)
# Google Dork: inurl:"/admin/pages/add" "Anchor CMS"
# Date: 2025-06-08
# Exploit Author: /bin/neko
# Vendor Homepage: http://anchorcms.com
# Software Link: https://github.com/anchorcms/anchor-cms
# Version: 0.12.7
# Tested on: Ubuntu 22.04 + Apache2 + PHP 8.1
# CVE: CVE-2025-46041

# Description:
Anchor CMS v0.12.7 suffers from a stored Cross-Site Scripting (XSS) vulnerability
in the `markdown` field of the /admin/pages/add page.
An authenticated user with page creation privileges can inject arbitrary JavaScript,
which is stored and executed when the page is viewed.

# Steps to Reproduce:
1. Login to /admin
2. Navigate to Pages > Add Page
3. In the `Markdown` field, insert:
   <script>alert(document.domain)</script>
4. Save the page.
5. View the created page. The script executes.

# Impact:
- Arbitrary JavaScript execution
- Potential session hijacking or admin impersonation