Critical Stored XSS on

Alexa Ranking: 90
A persistent cross site scripting vulnerability locating in the private message feature of the site. The body message part is vulnerable. Attackers could use </textarea> tag to end the textarea tag and start executing malicious codes. Attackers can simply send a private message to anyone. When a victim views the message, javascript will be executed.
Talking with Alan Schaaf (CEO of imgur) made my day. He’s nice and have a good sense of humour!
Reported on October 12 2012 and Fixed on October 13 2012.