ForestBlog through 2022-02-16 allows admin/profile/save userAvatar XSS during addition of a user avatar.
forestblog project forestblog