SmartStoreNET, an open-source e-commerce platform for .NET, has been found to have two Cross-Site Scripting (XSS) vulnerabilities that can allow attackers to gain control of the server by sending malicious messages to administrators. The vulnerabilities were discovered through security research and were found to be caused by the sanitization-then-transform pattern being applied to user-controlled data in the BBcode parsing process. These bugs can be exploited to create arbitrary code execution without user interaction, making them a significant threat to the platform's security. The maintainers of SmartStoreNET have released patches for these vulnerabilities, but they do not plan to release a new version that includes the fixes, leaving administrators advised to build from source to benefit from the latest security updates.