Volerion logoVolerion
Volerion logoVolerion

FlatPress Stored Cross-Site Scripting Vulnerability in Blog Entry Feature

Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in FlatPress version 1.3.1, specifically within the 'Add Entry' feature. This vulnerability allows authenticated attackers to inject malicious JavaScript into blog posts, which is executed when other users view the posts. The issue stems from inadequate input sanitization of the 'TextArea' field in the blog entry submission form.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user viewing the blog post, potentially leading to session hijacking, phishing attacks, or other client-side exploits.

Reproduction

To reproduce this vulnerability, log in as an admin on FlatPress version 1.3.1. Navigate to the 'Add Entry' section and inject a JavaScript payload into the text area. After saving the entry, the payload will execute when the post is viewed.

Remediation

Users are advised to update to FlatPress version 1.4, where this vulnerability has been patched.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
1.0
impact
5.4
exploitability
6.5
remediation
7.9
relevance
0.0
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.