VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 18, 2022· Updated Apr 14, 2025

Cross-site Scripting (XSS) - Stored in flatpressblog/flatpress

CVE-2022-4605

Description

Stored XSS vulnerability in Flatpress blog upload allows arbitrary JavaScript injection via SVG files, fixed in version 1.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS vulnerability in Flatpress blog upload allows arbitrary JavaScript injection via SVG files, fixed in version 1.3.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the file upload functionality of Flatpress prior to version 1.3 [1]. The application did not properly validate or restrict file types, allowing users to upload SVG files containing malicious JavaScript code. When an admin or other user views the uploaded file, the embedded script executes in their browser session [2].

Exploitation

An attacker with upload access to the Flatpress instance (e.g., a registered author or through a compromised account) can craft an SVG file containing a `` tag or event handler. The attacker uploads this file via the normal media upload mechanism. No additional user interaction is required beyond viewing the uploaded file—for example, when an administrator previews the media library or the uploaded file appears inline in a blog post [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, theft of credentials, or other actions limited only by the victim's browser permissions and the application's security boundaries. The stored nature of the payload means every subsequent viewer until cleanup is potentially affected [2].

Mitigation

The vulnerability is fixed in Flatpress version 1.3 by adding SVG to the list of forbidden file types [1]. Users should upgrade to 1.3 or later immediately. If upgrading is not possible, administrators can manually block SVG file extensions in the upload configuration or disable upload functionality entirely as a temporary workaround until the patch can be applied [2].

References
  1. added SVG to forbidden file types in order to prevent possible XSS - … · flatpressblog/flatpress@742f8b0
  2. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Flatpress/Flatpressllm-fuzzy
    Range: < 1.3
  • flatpressblog/flatpressblog/flatpressv5
    Range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application did not properly sanitize file uploads, allowing for the inclusion of SVG files which could contain malicious scripts."

Attack vector

An attacker could upload a crafted SVG file to the application. This SVG file would contain embedded JavaScript code. When another user views the uploaded SVG, the embedded script would execute within their browser context, leading to a stored cross-site scripting attack [ref_id=1].

Affected code

The vulnerability exists in the `admin/panels/uploader/admin.uploader.php` file, specifically within the `onupload()` function. The code previously allowed SVG files to be uploaded, which are now explicitly forbidden in the updated version [ref_id=1].

What the fix does

The patch adds 'svg' to the list of forbidden file types in the uploader panel. This prevents SVG files, which can contain executable JavaScript, from being uploaded and processed by the application. By disallowing SVG uploads, the vulnerability that allowed for stored XSS is mitigated [ref_id=1].

Preconditions

  • authThe attacker must have the ability to upload files to the application.

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.