PHP Remote File Inclusion in flatpressblog/flatpress
Description
FlatPress prior to 1.3 allows remote file inclusion via upload vulnerability, leading to arbitrary PHP code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FlatPress prior to 1.3 allows remote file inclusion via upload vulnerability, leading to arbitrary PHP code execution.
Vulnerability
FlatPress versions prior to 1.3 contain a PHP Remote File Inclusion (RFI) vulnerability in the file upload functionality. The upload mechanism fails to properly validate file extensions and contents, allowing an attacker to upload files with arbitrary extensions, including .php. This issue is addressed in commit c30d52b [1] and documented in a huntr.dev advisory [2].
Exploitation
An attacker can exploit this vulnerability by uploading a malicious PHP file through the file upload interface. No authentication is required if the upload function is publicly accessible. The uploaded file is stored on the server and can be accessed, leading to execution of arbitrary PHP code.
Impact
Successful exploitation allows an attacker to execute arbitrary PHP code on the server with the privileges of the web server user. This can lead to full compromise of the FlatPress installation, including data theft, defacement, or further attacks on the underlying system.
Mitigation
The vulnerability is fixed in FlatPress version 1.3. Users should upgrade to this version or later. The fix includes proper validation of uploaded file extensions and content-type checking [1]. No workarounds are available for previous versions.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- flatpressblog/flatpressblog/flatpressv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.