Cross-site Scripting (XSS) - Stored in flatpressblog/flatpress
Description
Stored XSS vulnerability in flatpressblog/flatpress Media Manager plugin allows attackers to execute arbitrary JavaScript via crafted image metadata.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in flatpressblog/flatpress Media Manager plugin allows attackers to execute arbitrary JavaScript via crafted image metadata.
Vulnerability
A stored Cross-site Scripting (XSS) vulnerability exists in the Media Manager plugin of flatpressblog/flatpress prior to version 1.3 [1]. The bug allows an attacker to inject arbitrary JavaScript code by crafting malicious image metadata (such as the image title or description) that is not properly sanitized before being stored and later rendered in the Media Manager interface [2]. All versions before 1.3 are affected.
Exploitation
An attacker needs to have the ability to upload images or modify image metadata in the Media Manager, which typically requires authenticated access with upload privileges [1]. The attacker uploads an image containing specially crafted metadata with embedded JavaScript payload. When any user (including administrators) views the Media Manager, the malicious script executes in their browser context [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The compromise occurs at the victim's privilege level; if an administrator views the page, the attacker gains full administrative access [2].
Mitigation
The vulnerability is fixed in flatpress version 1.3 [1]. The fix properly sanitizes image metadata before rendering in the Media Manager [1]. Users should upgrade to version 1.3 or later. No workaround is available for earlier versions. As of the publication date, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- flatpressblog/flatpressblog/flatpressv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Media Manager plugin in Flatpress did not sanitize user input for new gallery names, allowing for cross-site scripting."
Attack vector
An attacker can craft a malicious gallery name containing script tags and submit it through the Media Manager plugin's interface. When this gallery name is later displayed or processed by the application, the embedded script will execute in the context of the victim's browser. This vulnerability is triggered by submitting a POST request with a specially crafted `mm-newgallery-name` parameter [ref_id=1].
Affected code
The vulnerability resides in the `fp-plugins/mediamanager/panels/panel.mediamanager.file.php` file within the `onsubmit` function. Specifically, the line `$newgallery = $_POST ['mm-newgallery-name'];` was modified to `$newgallery = strip_tags($_POST ['mm-newgallery-name']);` [ref_id=1].
What the fix does
The patch addresses the vulnerability by applying the `strip_tags` function to the `mm-newgallery-name` input before it is used [ref_id=1]. This function removes HTML and PHP tags from a string, effectively sanitizing the user-provided gallery name and preventing the injection of malicious script code. The change ensures that only plain text is used for gallery names, mitigating the stored cross-site scripting risk.
Preconditions
- authThe attacker must have permissions to access the Media Manager plugin, which typically requires authentication.
- inputThe attacker must be able to submit a new gallery name via the Media Manager interface.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.