The vulnerability stems from unsanitized username input handling and unescaped output in admin interfaces. Key evidence includes: 1) The PoC shows XSS triggers in user edit pages (/user/edit) and version comparisons (/admin/versions), implicating these handlers. 2) Persistent XSS requires both storage and unsafe rendering - User::save likely stores raw input while template rendering functions fail to escape it. 3) The CMS's admin interface structure suggests these are core user management components. While exact code isn't available, the attack pattern and Elefant's MVC architecture strongly indicate these functions as vulnerable points.