VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 1, 2023· Updated Mar 11, 2025

Cross-site Scripting (XSS) - Stored in flatpressblog/flatpress

CVE-2023-1104

Description

Stored XSS vulnerability in Flatpress before 1.3 allows authenticated attackers to inject arbitrary JavaScript via crafted entries.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS vulnerability in Flatpress before 1.3 allows authenticated attackers to inject arbitrary JavaScript via crafted entries.

Vulnerability

Stored Cross-Site Scripting (XSS) exists in Flatpress versions prior to 1.3. The vulnerability allows an attacker to inject malicious scripts into the application, which are stored and later executed in the browsers of other users. The issue is fixed in commit [1] and reported on huntr.dev [2].

Exploitation

An attacker with the ability to create or edit blog entries (e.g., an authenticated user with author privileges) can inject arbitrary JavaScript code into fields that are not properly sanitized. When other users view the affected entry, the script executes in their browser.

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's session. This can result in session hijacking, data theft, defacement, or other malicious actions.

Mitigation

Upgrade to Flatpress version 1.3 or later, which includes the fix from commit [1]. No workaround is available for older versions.

References
  1. fixes #188 · flatpressblog/flatpress@f6394ea
  2. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Flatpress/Flatpressllm-fuzzy
    Range: < 1.3
  • flatpressblog/flatpressblog/flatpressv5
    Range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application does not properly sanitize file extensions when handling uploads, allowing for the execution of arbitrary code."

Attack vector

An attacker can upload a file with a malicious extension, such as '.php', by bypassing the file type validation. This uploaded file can then be accessed and executed by the server, leading to arbitrary code execution. The vulnerability is present in the file upload functionality of the application [ref_id=1].

Affected code

The vulnerability exists in the `admin/panels/uploader/admin.uploader.php` file within the `onupload()` function. The code previously allowed a broad range of file extensions, including potentially executable ones like '.php' [ref_id=1].

What the fix does

The patch modifies the allowed file extensions in the uploader panel. It removes '.php' from the list of allowed extensions and adds '.md' and '.pages' to the list of allowed file types. This prevents the upload and subsequent execution of PHP files, thereby mitigating the stored cross-site scripting vulnerability [ref_id=1].

Preconditions

  • authThe attacker must have authenticated access to the application to use the file upload feature.

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.