CVE-2024-33209

Vulnerability

FlatPress v1.3 contains a stored cross-site scripting (XSS) vulnerability in the "Add New Entry" feature of the admin panel. An attacker can inject malicious JavaScript code into the entry content, which is then stored and executed when the entry is viewed. The vulnerability exists in version 1.3 and requires the attacker to have access to the admin panel or trick an admin into submitting crafted input [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted link to an authenticated admin user. Upon clicking the link, the admin's browser executes the injected script. The attacker does not need direct access to the admin panel if they can convince an admin to use the malicious payload [1].

Impact

Successful exploitation allows the attacker to steal session tokens, cookies, or other sensitive information. The attacker can also modify page content, redirect users to malicious sites, or perform actions on behalf of the victim, leading to full compromise of the admin session [1].

Mitigation

The vendor has not released a definitive patched version; the reference mentions that the fix will be included in FlatPress version 1.3, which may indicate a revision. Users should apply any available updates from the official FlatPress repository. As a workaround, disable the "Add New Entry" functionality or restrict admin panel access until a fix is applied [1].