VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2020· Updated Jan 29, 2025

CVE-2020-35241

CVE-2020-35241

Description

FlatPress 1.0.3 suffers from stored XSS in the Blog Content component, allowing an attacker with admin panel access to inject persistent JavaScript payloads that execute when any user views the blog entry, leading to cookie theft.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FlatPress 1.0.3 suffers from stored XSS in the Blog Content component, allowing an attacker with admin panel access to inject persistent JavaScript payloads that execute when any user views the blog entry, leading to cookie theft.

Vulnerability

FlatPress 1.0.3 stores user-supplied input in the content parameter of the blog entry creation functionality without proper sanitization or output encoding. The vulnerable component is the admin panel page at admin.php?p=entry&action=write. An attacker with access to the admin panel can inject arbitrary HTML/JavaScript via the content field during entry composition [1][2][4].

Exploitation

An attacker must have valid administrator credentials to access the admin panel and the Entries -> Write Entry form. The attacker submits a crafted payload (e.g., ` or ) in the content parameter [2][4]. The payload is stored in the blog entry. Every time any user (including other administrators) visits that blog page, the malicious script executes in the context of the victim's session, typically exfiltrating the document.cookie` to an attacker-controlled server or demonstrating the XSS via an alert [1][2].

Impact

Successful exploitation results in persistent arbitrary JavaScript execution (stored XSS) within the browser of any user viewing the compromised blog entry. The attacker can steal session cookies, perform actions on behalf of the victim within the FlatPress admin panel, deface the page, or redirect users to malicious sites. The attack scope is the same-origin context of the FlatPress instance [1][4].

Mitigation

The vendor has released FlatPress 1.5 (“Stringendo”) which presumably addresses this vulnerability as of 2024 [3]. Users should upgrade to the latest version immediately. If upgrading is not possible, restrict admin panel access to trusted users and avoid previewing blog entries containing untrusted content. No KEV listing has been published for this CVE [1][3].

References
  1. vulnerability-research/CVE-2020-35241 at main · alpernae/vulnerability-research
  2. OffSec’s Exploit Database Archive
  3. Download
  4. CVE-Reference/CVE-2020-35241.md at main · hemantsolo/CVE-Reference

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing output encoding of blog content allows stored XSS."

Attack vector

An attacker with admin panel access sends a POST request to `/flatpress/admin.php?p=entry&action=write` with a malicious payload in the `content` parameter [ref_id=1]. The payload `<img src=x onerror='alert("TEST XSS")'/>` is stored as blog content. Any user who visits the affected blog page triggers the XSS, allowing the attacker to steal cookies or perform other client-side attacks [ref_id=1].

Affected code

The vulnerability exists in the blog content component of FlatPress 1.0.3, specifically in the entry writing functionality accessed via `admin.php?p=entry&action=write` [ref_id=1]. The `content` POST parameter is stored without sanitization and rendered unsafely on the blog page.

What the fix does

No patch is included in the bundle. The advisory does not specify a fix, but the remediation would require the application to properly encode or sanitize user-supplied HTML in the `content` field before rendering it on the blog page, preventing execution of injected script payloads [ref_id=1].

Preconditions

  • authAttacker must have access to the FlatPress admin panel to create or edit blog entries
  • inputThe blog page containing the malicious entry must be visited by a victim

Reproduction

1. Log in to the FlatPress admin panel. 2. Navigate to `admin.php?p=entry&action=write`. 3. Set the `content` parameter to `<img src=x onerror='alert("TEST XSS")'/>` and submit the form [ref_id=1]. 4. Visit the published blog entry — the XSS payload executes in the browser [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.