The Post editor functionality in the hexo-admin plugin versions 2.3.0 and previous versions for Node.js is vulnerable to stored XSS via the content of a post.
hexo-admin project hexo-admin