A stored XSS vulnerability was discovered in a web application's 'Save for later' feature by bypassing WAF protections using Unicode-encoded HTML characters and event handlers. The attacker crafted a payload with Unicode escapes (e.g., \u003E for >, \u0045 in onmouseleave) to evade signature-based filtering and achieved POST-based XSS that was chainable with CSRF for authenticated users.
A researcher chained a self-XSS vulnerability with SMTP email injection to achieve stored XSS by crafting malformed emails via netcat that create new clients with XSS payloads in email fields, triggering when employees access client management pages.
A persistent XSS vulnerability on eBay's My World profile section exploited a blacklist-based HTML filter that failed to block deprecated tags like <plaintext>, <fn>, and <credit>. The attacker chained this with event handlers, String.fromCharCode/eval to bypass character limits, missing CSRF protection, and unHTTPOnly cookies to create a self-propagating worm that could steal session tokens.