CVE-2022-40047
Description
Flatpress v1.2.1 is vulnerable to reflected XSS via the page parameter in admin.php, allowing session theft.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Flatpress v1.2.1 is vulnerable to reflected XSS via the page parameter in admin.php, allowing session theft.
Vulnerability
Flatpress v1.2.1 is affected by a reflected cross-site scripting (XSS) vulnerability in the page parameter of /flatpress/admin.php. The application fails to sanitize or encode user input in the page parameter before reflecting it in the response, enabling an attacker to inject arbitrary JavaScript. The vulnerable code path is reachable via the admin panel without any special configuration beyond a valid login session [1].
Exploitation
An attacker with network access to the Flatpress instance can craft a malicious URL containing a JavaScript payload in the page parameter. The victim must be logged into the Flatpress admin panel and tricked into clicking the crafted link. For example, the payload %22onfocus%3d%22alert%28document.cookie%29%22autofocus%3d%22zr4da injected into the page parameter executes JavaScript (e.g., alert(document.cookie)) when the page is loaded [1]. No additional privileges or write access are required beyond the victim's existing session.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to theft of session cookies, enabling session hijacking and unauthorized access to the victim's account. The attacker may then view or alter blog content and administrative settings, compromising the confidentiality and integrity of the application [1].
Mitigation
The Flatpress project has not released a patched version. As of the publication date, no fix has been provided, and the issue remains open [1]. Mitigation strategies include: filtering and encoding the page parameter on input and output, restricting admin panel access to trusted users, and using browser security features such as Content Security Policy (CSP). It is recommended to monitor the Flatpress repository for an update and apply input sanitization as a workaround.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the `page` parameter allows reflected XSS."
Attack vector
An attacker crafts a URL containing a malicious payload in the `page` parameter, such as `%22onfocus%3d%22alert%28document.cookie%29%22autofocus%3d%22zr4da`. When a logged-in victim visits this URL, the payload is reflected in the response without proper sanitization, causing the attacker's JavaScript to execute in the victim's browser [ref_id=1]. The attacker can then steal session cookies or manipulate the victim's session to impersonate them [ref_id=1]. No authentication bypass is required beyond the victim already being logged into Flatpress.
Affected code
The vulnerability exists in the `page` parameter handled by `/flatpress/admin.php`. The advisory identifies that the `page` parameter does not sanitize input properly, leading to reflected XSS [ref_id=1]. No patch files are provided in the bundle.
What the fix does
No patch is included in the bundle. The advisory recommends that the application should encode data on output and filter input on the `page` parameter [ref_id=1]. Specifically, output encoding would prevent injected HTML/JavaScript from being interpreted by the browser, and input filtering would strip or reject malicious characters before they reach the vulnerable parameter.
Preconditions
- authVictim must be authenticated and logged into Flatpress
- inputAttacker must trick victim into visiting a crafted URL
Reproduction
1. Log in to the Flatpress application. 2. Visit the following URL (adjust server path as needed): `http://server/flatpress/admin.php?p=static&action=write&page=%22onfocus%3d%22alert%28document.cookie%29%22autofocus%3d%22zr4da`. 3. Observe that the XSS payload executes, displaying the victim's cookies in an alert dialog [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.