An issue was discovered in Bilboplanet 2.0. Stored XSS exists in the user_id parameter to signup.php.

Source