CVE-2024-33210
Description
Cross-site scripting (XSS) vulnerability in Flatpress 1.3 allows an attacker to inject malicious scripts via crafted URL, leading to arbitrary code execution in user's browser.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) vulnerability in Flatpress 1.3 allows an attacker to inject malicious scripts via crafted URL, leading to arbitrary code execution in user's browser.
Vulnerability
Flatpress 1.3 contains a reflected cross-site scripting (XSS) vulnerability in the admin.php endpoint. The entry parameter is reflected in the response without proper sanitization, allowing an attacker to inject arbitrary HTML and JavaScript. The affected component is the URL parameter entry when p=entry and action=write. An example malicious URL is http://127.0.0.1/flatpress-1.2.1/admin.php?p=entry&entry=bmnik"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"vqtz3&action=write. The vulnerability affects Flatpress version 1.3, although the PoC targets 1.2.1. [1]
Exploitation
An attacker can craft a URL with a malicious payload in the entry parameter. The attacker must trick an authenticated Flatpress administrator into visiting the crafted URL. No special privileges are required from the attacker beyond the ability to deliver the link. The exploit triggers when the victim's mouse hovers over the injected element (using onmouseover) or upon page load. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can result in session hijacking, theft of sensitive information such as admin credentials, or other malicious actions that compromise the Flatpress installation and its users. [1]
Mitigation
The vendor has indicated that the vulnerability will be fixed in FlatPress version 1.3. As of the publication date (October 2024), no patched version is released. Users should monitor the Flatpress project for updates. As a workaround, administrators should avoid clicking on untrusted links while logged into the admin panel and consider implementing input sanitization for the entry parameter until a fix is available. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application does not properly sanitize user-supplied input in URLs, allowing for script injection."
Attack vector
An attacker can exploit this vulnerability by crafting a malicious URL that includes JavaScript code within URL parameters, such as `onmouseover` or `style` attributes. When a victim accesses this URL, the injected script executes in their browser within the context of the Flatpress application. This allows the attacker to perform actions on behalf of the user, such as stealing sensitive information or hijacking sessions [ref_id=1].
Affected code
The vulnerability is related to the handling of URLs within the Flatpress CMS. Specifically, the affected component is identified as the URL, and the exploit involves manipulating parameters within the URL to inject scripts [ref_id=1].
What the fix does
The advisory indicates that the vulnerability will be fixed in FlatPress version 1.3. The recommended remediation is to update to this version once it is released. The reference write-up suggests using the `htmlentities()` function in PHP to sanitize input, which would prevent the injection of malicious scripts by converting special characters into their HTML entity equivalents [ref_id=1].
Preconditions
- inputThe attacker must be able to provide a crafted URL to a victim.
- networkThe victim must access the crafted URL via their web browser.
Reproduction
1. Access the following URL: http://127.0.0.1/flatpress-1.2.1/admin.php?p=entry&entry=bmnik"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"vqtz3&action=write 2. Replace "127.0.0.1" with the domain name of the target website. 3. Inject the malicious script to trigger the XSS vulnerability [ref_id=1].
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
News mentions
0No linked articles in our index yet.