An issue was discovered in Bilboplanet 2.0. Stored XSS exists in the fullname parameter to signup.php.

Source