The scheduled post feature in Reddit suffered a critical vulnerability that has since been patched.
It allowed an attacker to execute cross-site scripting attacks.
The flaw lay in the RichText parser’s failure to filter out unsafe JavaScript hyperlinks.
An attacker could access the scheduled post editing page and replace a link with a malicious script.
Administrators opening the edited post would then have the script executed in their browser.
la_revoltage discovered this vulnerability. Reddit encourages users to ensure they are using the latest version of the Scheduled Posts feature to avoid this defect.