Cross-site Scripting (XSS) - Reflected in flatpressblog/flatpress
Description
Reflected XSS in Flatpress blog setup wizard allows attackers to inject arbitrary JavaScript via unsanitized user input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Flatpress blog setup wizard allows attackers to inject arbitrary JavaScript via unsanitized user input.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in the setup wizard of Flatpress versions prior to 1.3. The vulnerability occurs because user-supplied input fields such as fpuser, email, and www are not sanitized before being included in the setup page's error messages or configuration output. This allows an attacker to inject malicious HTML or JavaScript code [1], [2].
Exploitation
To exploit this vulnerability, an attacker must trick an administrator into visiting a specially crafted URL that submits malicious input to the setup wizard. No authentication is required as the setup wizard is accessible before the blog is fully configured. The attacker can supply values like ` in the fpuser` parameter, which will then be reflected in the error message displayed on the page [1], [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information such as administrative credentials or personal data. Since the setup wizard typically runs with administrative privileges, the attacker could gain full control over the Flatpress installation [1], [2].
Mitigation
The vulnerability is fixed in Flatpress version 1.3. Users should upgrade to this version immediately. The fix is implemented in commit 5f23b4c2eac294cc0ba5e541f83a6f8a26f9fed1, which adds strip_tags() to sanitize user input fields in setup.php [1]. No known workarounds exist for versions prior to 1.3.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- flatpressblog/flatpressblog/flatpressv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application does not properly sanitize user-supplied input for the username field during the setup process, allowing for cross-site scripting."
Attack vector
An attacker can exploit this vulnerability by submitting a crafted username containing JavaScript code during the initial setup of FlatPress. This input is not properly sanitized before being stored or displayed, leading to the execution of arbitrary JavaScript in the context of the user's browser. The vulnerability is present in the `validate()` function within the setup process. [ref_id=1]
Affected code
The vulnerability exists in the `validate()` function within the setup process of FlatPress. Specifically, the code responsible for processing the `fpuser` POST parameter did not sanitize the input, allowing for script injection. The patch modifies lines 98-104 to include `strip_tags()` for the `fpuser` variable. [ref_id=1]
What the fix does
The patch addresses the vulnerability by introducing the `strip_tags()` function to sanitize the `fpuser` variable before it is used. This function removes HTML and PHP tags from the input string, preventing the injection of malicious JavaScript code. The change ensures that only alphanumeric characters are considered valid for the username, mitigating the reflected cross-site scripting risk. [ref_id=1]
Preconditions
- configThe application must be in the setup phase, allowing a new user to be configured.
- inputThe attacker must be able to provide a username containing script tags.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.