FlatPress Media Manager Plugin panel.mediamanager.file.php main cross site scripting
Description
FlatPress Media Manager plugin is vulnerable to stored XSS via the mm-newgallery-name argument, allowing remote attackers to inject arbitrary JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FlatPress Media Manager plugin is vulnerable to stored XSS via the mm-newgallery-name argument, allowing remote attackers to inject arbitrary JavaScript.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in FlatPress, affecting the Media Manager plugin. The issue resides in the file fp-plugins/mediamanager/panels/panel.mediamanager.file.php, specifically in the main function. The mm-newgallery-name argument is not properly sanitized, allowing an attacker to inject malicious script code [1], [2]. This vulnerability affects versions prior to the commit d3f329496536dc99f9707f2f295d571d65a496f5 [1].
Exploitation
An attacker can exploit this vulnerability remotely without requiring authentication [1], [2]. The attack involves crafting a malicious mm-newgallery-name parameter containing JavaScript code (e.g., ``). When the vulnerable panel is loaded or the injected data is rendered, the script executes in the context of the administrator or any user visiting the affected page [2]. The issue was reported as a possible XSS in the Media Manager plugin [2].
Impact
Successful exploitation leads to stored XSS, enabling an attacker to execute arbitrary JavaScript in the browser of any user accessing the affected functionality. This could result in session hijacking, defacement, or theft of sensitive information within the FlatPress admin panel [1], [2]. The vulnerability is classified as problematic with a potential for moderate impact on confidentiality and integrity.
Mitigation
The fix is provided in commit d3f329496536dc99f9707f2f295d571d65a496f5 [1]. Users should apply this patch or update to a version that includes it. As of the publication date (2022-12-27), no CISA KEV listing has been reported; the vendor recommends patching [1], [2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output sanitization on user-supplied gallery name input allows stored cross-site scripting."
Attack vector
An attacker can remotely trigger a stored cross-site scripting (XSS) attack by submitting a crafted gallery name via the `mm-newgallery-name` POST parameter to the Media Manager plugin. Because the input was not sanitized before being stored or rendered, any HTML or JavaScript payload supplied in that parameter would be executed in the context of a victim's browser when the gallery name is displayed [ref_id=1].
Affected code
The vulnerable code is in `fp-plugins/mediamanager/panels/panel.mediamanager.file.php` in the `onsubmit` function. The user-supplied value from `$_POST['mm-newgallery-name']` was assigned directly to `$newgallery` without sanitization [ref_id=1].
What the fix does
The patch applies `strip_tags()` to the `$_POST['mm-newgallery-name']` value before assigning it to `$newgallery` [ref_id=1]. This removes any HTML tags from the user-supplied gallery name, preventing the injection of malicious script elements. The single-line change ensures that only plain text is stored and later rendered, closing the XSS vector.
Preconditions
- networkThe attacker must be able to send HTTP POST requests to the Media Manager plugin endpoint.
- inputThe attacker must supply a value for the 'mm-newgallery-name' POST parameter containing HTML or JavaScript.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/flatpressblog/flatpress/commit/d3f329496536dc99f9707f2f295d571d65a496f5mitrepatch
- github.com/flatpressblog/flatpress/issues/177mitreissue-tracking
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.