FlatPress Setup main.lib.php cross site scripting
Description
FlatPress Setup component has a stored XSS vulnerability in setup/lib/main.lib.php due to insufficient input sanitization, allowing remote attackers to execute arbitrary JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FlatPress Setup component has a stored XSS vulnerability in setup/lib/main.lib.php due to insufficient input sanitization, allowing remote attackers to execute arbitrary JavaScript.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in FlatPress prior to the patch commit 5f23b4c2eac294cc0ba5e541f83a6f8a26f9fed1. The issue is located in the file setup/lib/main.lib.php within the validate() function. User-supplied input fields such as fpuser (username), email, and www (website) are not sanitized before being stored. This allows an attacker to inject arbitrary HTML and JavaScript code during the setup process [1], [2].
Exploitation
An attacker can remotely trigger the vulnerability during the FlatPress installation wizard by submitting malicious payloads in the username, email, or website fields. No prior authentication or special privileges are required, as the setup page is typically accessible without login. The injected script will be stored in the configuration and executed when an administrator views the affected page [2].
Impact
Successful exploitation leads to stored cross-site scripting. An attacker can execute arbitrary JavaScript in the context of the FlatPress administration interface, potentially allowing session hijacking, credential theft, or other malicious actions. The impact is limited to the scope of the admin session but could lead to full compromise of the FlatPress installation [1], [2].
Mitigation
The vulnerability is fixed in commit 5f23b4c2eac294cc0ba5e541f83a6f8a26f9fed1 which adds strip_tags() sanitization to the affected input fields [1]. Users should apply the patch immediately by updating to the latest version of FlatPress that includes this commit. No workaround is available if the patch cannot be applied; users should avoid the setup page if they are not actively configuring the site [2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization (no strip_tags) on user-supplied values in the setup validation function allows HTML/JavaScript injection."
Attack vector
An attacker can trigger a cross-site scripting (XSS) vulnerability by submitting crafted input to the FlatPress setup form. The `validate()` function previously used raw `$_POST` values in error messages and configuration fields without sanitization [ref_id=1]. By injecting HTML or JavaScript into the `fpuser`, `email`, or `www` parameters, an attacker can cause arbitrary script execution when the error message or stored configuration value is rendered. The attack is remotely initiated via HTTP POST requests to the setup endpoint.
Affected code
The vulnerable code is in `setup/lib/main.lib.php` within the `validate()` function. The original code directly used unsanitized `$_POST` values (`$_POST['fpuser']`, `$_POST['email']`, `$_POST['www']`) in error messages and configuration assignments without stripping HTML tags [ref_id=1].
What the fix does
The patch applies `strip_tags()` to the `$_POST['fpuser']`, `$_POST['email']`, and `$_POST['www']` values before they are used in error messages or stored in configuration [ref_id=1]. This strips any HTML or JavaScript tags from the input, preventing XSS injection. The sanitized values are stored in local variables (`$fpuser`, `$email`, `$www`) and used consistently throughout the function instead of the raw `$_POST` values.
Preconditions
- networkAttacker must be able to reach the FlatPress setup page via HTTP
- configSetup form must be accessible (not yet completed or locked)
- inputAttacker submits crafted input via POST parameters fpuser, email, or www
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/flatpressblog/flatpress/commit/5f23b4c2eac294cc0ba5e541f83a6f8a26f9fed1mitrepatch
- github.com/flatpressblog/flatpress/issues/176mitreissue-tracking
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entry
News mentions
0No linked articles in our index yet.