Logging into the management system of tpcms v3.2 (admin/admin888), in the "System Settings"-"Site Configuration"-"Bottom Information"(or "Phone"), entering XSS payload and save it. Open the front-site and you can see the pop-up window caused by the XSS payload.

URL:
http://IP/index.php/Admin/Index/index.html

Payload:

<script>alert('hello ');</script>

This vulnerability can be used in conjunction with the XSS platform. The attacker enters the malicious payload in the corresponding text box. Whenever the visitor visits the TPCMS, the visitor's information can be sent to the XSS platform.It can be used to Phising or something else.