CVE-2024-25411
Description
Flatpress v1.3 setup.php reflects a crafted username payload without sanitization, enabling stored XSS during installation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Flatpress v1.3 setup.php reflects a crafted username payload without sanitization, enabling stored XSS during installation.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in Flatpress v1.3 (affected versions include 1.2.1 and up to before the fix in 1.3). The flaw resides in the setup.php file, specifically in the username parameter of the installation wizard. When an attacker provides a malicious payload in the username field, the application reflects it back without proper sanitization or encoding, allowing arbitrary HTML or JavaScript to be executed in the context of the victim's browser [1].
Exploitation
An attacker can exploit this vulnerability remotely without any prior authentication, as the setup page is accessible before a admin account is fully configured. The attack requires the victim to visit the setup.php page while the installer is active. By entering a payload such as tes""> into the username field and clicking "Next", the script executes immediately, demonstrating arbitrary code execution [1].
Impact
Successful exploitation leads to arbitrary web script or HTML execution in the browser of any user who accesses the compromised setup page. This can result in session hijacking, defacement, or redirection to malicious sites. The impact is limited to the browser context and does not directly compromise the server, but it could be used to steal sensitive information or perform actions on behalf of the victim [1].
Mitigation
The vulnerability has been addressed in Pull Request #261, which introduces input sanitization and multilingual error messages [2]. The fix is expected to be included in Flatpress version 1.3 (the latest version at the time of reporting). Users should update to version 1.3 or apply the patch from the referenced pull request. As a workaround, administrators can restrict access to the setup.php page or disable the installer after initial configuration [2].
- GitHub - paragbagul111/CVE-2024-25411: A cross-site scripting (XSS) vulnerability in Flatpress v1.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username parameter in setup.php
- Prevents cross-site scripting (XSS) in the parameter username, Error messages now multilingual by Fraenkiman · Pull Request #261 · flatpressblog/flatpress
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The username parameter in setup.php is not properly sanitized, allowing for the injection of arbitrary web scripts."
Attack vector
An attacker can exploit this vulnerability by navigating to the setup.php page and injecting a crafted payload into the "username" field. The payload, such as `tes"><img src=x onload=alert(1)>`, is then reflected in the application's output without proper encoding. This leads to the execution of arbitrary JavaScript code in the user's browser [ref_id=1].
Affected code
The vulnerability resides in the setup.php file, specifically within the handling of the username parameter. The provided reference points to the setup.php script where the username input is processed and reflected, leading to the XSS flaw [ref_id=1].
What the fix does
The advisory indicates that the vulnerability will be fixed in FlatPress version 1.3. While a specific patch is not provided, the fix likely involves sanitizing or escaping the input in the username parameter before it is rendered in the HTML output, thereby preventing XSS attacks [ref_id=1].
Preconditions
- inputThe attacker must provide a crafted payload in the username parameter.
- networkThe attacker must be able to access the setup.php page.
Reproduction
1. Download FlatPress CMS from a trusted source. 2. Start a local PHP server using the command: php -S 127.0.0.1:80 3. Open the following URL in your browser: https://127.0.0.1/setup.php 4. In the "username" field, enter the following payload: tes"> <img src=x onload=alert(1)> 5. Click on the "Next" button. 6. A pop-up with the number "1" will appear on the screen, indicating the successful execution of the payload [ref_id=1].
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.