havok89
commented
6 years ago I was sure all the inputs were sanitising data but appears not. I suppose at this point an attacker would already have access to your admin dashboard so the site would already be compromised.
I'll try get time to fix it in the next few days!
the xss is on the page 'admin/pages/new',add a text new page, fill the
<img src=1 onerror=alert(1)>in the 'Navigation Title* (this is displayed on navigation menus)' field