Go to login page form https://127.0.0.1/index.php?page=login.php
and log in using login bypass or inserting password.
Go to a page vulnerable to XSS stored like as: https://127.0.0.1/index.php?page=add-to-your-blog.php
 (1).png)
in this textarea (not sanitizated) we can add whatever we want, save it and it will be stored internally and display to users that will click on 'View Blogs'.
 (1).png)
injecting the javascript payload: <script>alert(document.cookie)</script> thecommand will be execute on the click of the page: https://127.0.0.1/index.php?page=view-someones-blog.php clicking on View Blog Entries:
 (1).png)