CVE-2024-25412
Description
Flatpress v1.3 installation wizard contains a stored XSS vulnerability in the email field, allowing arbitrary script execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Flatpress v1.3 installation wizard contains a stored XSS vulnerability in the email field, allowing arbitrary script execution.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the Flatpress v1.3 installer. The email field on the setup page does not properly sanitize user input, allowing an attacker to inject arbitrary HTML or JavaScript. This affects FlatPress versions up to and including 1.2.1, with the issue present in the 1.3 release candidate that was intended to fix it. The vulnerable code path is reachable during the initial installation wizard (setup.php).
Exploitation
An attacker can exploit this vulnerability by simply accessing the Flatpress setup page (e.g., http://127.0.0.1/setup.php) and entering a crafted payload into the email field. No authentication or special network position is required; the attacker only needs to be able to load the setup page. The proof-of-concept payload "> or "> causes immediate script execution when the page processes the input and renders it without escaping [1].
Impact
Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's browser session. This can result in session hijacking, defacement, or redirection to malicious sites. Since the XSS occurs during the installation process, the impact is limited to users who are in the process of setting up Flatpress, which could include administrators on a fresh installation.
Mitigation
The vendor has acknowledged the issue and a fix is planned for FlatPress version 1.3, but as of the publication date no patched release is available [1]. Users are advised to avoid using the affected installer in untrusted environments or to implement a web application firewall (WAF) rule to block the malicious payload patterns. For existing installations, manual sanitization of the email field in the installer source code may be considered until the official fix is released.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The email parameter in the FlatPress installer does not properly sanitize user input, allowing for the injection of arbitrary HTML and script code."
Attack vector
An attacker can exploit this vulnerability by navigating to the FlatPress installer page and injecting a crafted payload into the "email" field. The payload, such as "><img src=x onload=alert(1)>" or "><script>alert(1)</script>", will be executed when the page is rendered, leading to arbitrary script execution [ref_id=1]. This attack can be performed remotely by any user who can access the installer script.
Affected code
The vulnerability resides within the installer script of FlatPress, specifically in the handling of the "email" parameter. The reference write-up identifies the affected component as the Cross-Site Scripting (XSS) in FlatPress Installer (email parameter) [ref_id=1].
What the fix does
The advisory indicates that the vulnerability will be fixed in FlatPress version 1.3. However, the provided bundle does not contain a patch or specific details on how the fix is implemented. Remediation guidance suggests updating to the fixed version once it becomes available.
Preconditions
- inputThe attacker must be able to provide input to the 'email' field during the FlatPress installation process.
- networkThe attacker must have network access to the FlatPress installer script.
Reproduction
1. Download FlatPress CMS from a trustworthy source. 2. Launch a local PHP server using the command: php -S 127.0.0.1:80. 3. Open the URL: https://127.0.0.1/setup.php. 4. Within the "email" field, insert the payload: "><img src=x onload=alert(1)> or "><script>alert(1)</script>. 5. A pop-up displaying '1' will appear, confirming successful execution. Then, click the "Next" button [ref_id=1].
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.