VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 2, 2023· Updated Mar 7, 2025

Cross-site Scripting (XSS) - Stored in flatpressblog/flatpress

CVE-2023-1147

Description

Stored XSS vulnerability in Flatpress blog comments allows arbitrary JavaScript injection; fixed in version 1.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS vulnerability in Flatpress blog comments allows arbitrary JavaScript injection; fixed in version 1.3.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the comment handling of Flatpress prior to version 1.3. The comment_clean function in comment.php did not sanitize HTML tags from the name, email, url, and content fields before storing them. The fix in commit 264217f adds strip_tags() calls to each field, preventing HTML injection [1][2].

Exploitation

An attacker can submit a comment containing malicious HTML or JavaScript through any of the comment fields. No authentication is required if the blog allows public comments. The injected script is stored on the server and executed in the browsers of any user viewing the affected comment, including administrators [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement of the blog, theft of sensitive data (e.g., cookies, CSRF tokens), or further attacks against other users [2].

Mitigation

The vulnerability is fixed in Flatpress version 1.3, which includes the commit 264217f [1]. Users should upgrade to version 1.3 or later. No workaround is available for earlier versions [2].

References
  1. Fixes #186, possible XSS in comments · flatpressblog/flatpress@264217f
  2. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Flatpress/Flatpressllm-fuzzy
    Range: <1.3
  • flatpressblog/flatpressblog/flatpressv5
    Range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application failed to sanitize user-supplied input in comments, allowing for the injection of malicious scripts."

Attack vector

An attacker can submit a comment containing malicious JavaScript code. This code is then stored by the application and rendered to other users viewing the comments. The vulnerability is present in the comment handling functionality before version 1.3.

Affected code

The vulnerability exists within the `comment_clean` function, specifically in how the `name`, `email`, `url`, and `content` fields are processed before being stored. The commit modifies lines 76-83 to include `strip_tags` for these fields [ref_id=1].

What the fix does

The patch introduces the `strip_tags` function to sanitize user input for the author's name, email, URL, and the comment content itself. This prevents any HTML or script tags from being rendered, mitigating the stored cross-site scripting vulnerability.

Preconditions

  • inputThe attacker must be able to submit a comment to a FlatPress blog.

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.