Cross-site Scripting (XSS) - Generic in flatpressblog/flatpress
Description
Stored XSS in FlatPress config panel via unsanitized author and email fields, fixed in version 1.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in FlatPress config panel via unsanitized author and email fields, fixed in version 1.3.
Vulnerability
The vulnerability is a stored cross-site scripting (XSS) in the FlatPress configuration panel. The author and email fields in the settings were not sanitized before being saved and later displayed, allowing an attacker to inject arbitrary JavaScript. This affects FlatPress versions prior to 1.3. The fix was implemented in commit [1] by applying wp_specialchars to these fields.
Exploitation
An attacker needs to have administrative access to the FlatPress admin panel (specifically the configuration page) to modify the author or email settings. No user interaction is required once the malicious input is saved; any page that displays these values (e.g., blog posts showing the author name) will execute the injected script.
Impact
Successful exploitation leads to arbitrary JavaScript execution in the context of a victim's browser. This could result in session hijacking, credential theft, defacement, or other client-side attacks. The attacker gains the ability to perform actions as the victim user, depending on the privileges of the victim viewing the affected page.
Mitigation
The vulnerability is fixed in FlatPress version 1.3. Users should upgrade to version 1.3 or later. The commit [1] patches the issue by sanitizing the author and email inputs with wp_specialchars. No workaround is documented; the only mitigation is to update.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- flatpressblog/flatpressblog/flatpressv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to properly sanitize user-supplied input before displaying it in the configuration panel, leading to cross-site scripting."
Attack vector
An attacker can inject malicious scripts into the 'author' or 'email' fields within the FlatPress configuration panel. When an administrator views or saves these settings, the injected script is executed in their browser. This vulnerability is a generic cross-site scripting flaw [ref_id=1].
Affected code
The vulnerability exists in the handling of POST data for the configuration settings. Specifically, the lines responsible for processing the 'author' and 'email' parameters were modified to include `wp_specialchars` escaping [ref_id=1].
What the fix does
The patch addresses the vulnerability by applying the `wp_specialchars` function to the 'author' and 'email' fields before they are saved. This function properly escapes special characters, preventing them from being interpreted as executable code. The change ensures that any injected script content is rendered as plain text rather than being executed [ref_id=1].
Preconditions
- authThe attacker must have privileges to access and modify the FlatPress configuration panel.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.