Cross-Site Request Forgery (CSRF) in flatpressblog/flatpress
Description
A CSRF vulnerability in FlatPress CMS allows attackers to enable or disable plugins on behalf of an authenticated victim.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in FlatPress CMS allows attackers to enable or disable plugins on behalf of an authenticated victim.
Vulnerability
FlatPress CMS latest version (prior to 1.4.dev) is vulnerable to Cross-Site Request Forgery (CSRF) vulnerabilities that allow an attacker to enable or disable plugins on behalf of a victim user. The issue lies in the lack of CSRF protection on plugin management actions; the server does not validate the origin of authenticated requests [1][2]. Affected versions: all versions before 1.4.dev.
Exploitation
An attacker can craft a malicious link or script that, when clicked by an authenticated user, will send a request to the FlatPress CMS server to perform the desired action (enable or disable a plugin) on behalf of the victim. No specific authentication or user interaction other than the victim clicking the link is required; the attacker does not need any prior access to the server [2].
Impact
On success, the attacker can enable or disable plugins, potentially altering the functionality of the CMS. The impact could include disabling security plugins or enabling malicious ones, leading to further compromise. The attacker operates with the privileges of the victim user [2].
Mitigation
The vulnerability is fixed in version 1.4.dev [1]. The commit a81c968f51f134b5e5f9bbe208aa12f4fbc329df addresses the issue by adding CSRF nonce checks to the affected entry deletion page; similar protections should be applied to plugin management actions. Users should update to 1.4.dev or later. No other workarounds are documented [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- flatpressblog/flatpressblog/flatpressv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to validate that the user performing the action is authorized to do so, allowing for Cross-Site Request Forgery."
Attack vector
An attacker can craft a malicious link or script that, when clicked by an authenticated user, will send a request to the FlatPress CMS server to enable or disable plugins. Since the request is authenticated, the server will process it as if it were initiated by the legitimate user, allowing the attacker to perform unauthorized actions on behalf of the victim. This vulnerability is a classic example of Cross-Site Request Forgery [ref_id=1].
Affected code
The vulnerability is located in the `admin_static_delete` class, specifically within the `ondelete` function. The original code lacked proper validation to ensure the request was legitimate, allowing for CSRF attacks. The patch adds a nonce check and input sanitization to this function [ref_id=1].
What the fix does
The patch introduces a nonce check using `check_admin_referer('admin_static_delete')` within the `ondelete` function. This ensures that requests to delete static pages are only processed if they originate from a valid, authenticated session and are not the result of a forged request. The `sanitize_text_field` function is also used to clean up input, further mitigating potential injection risks [ref_id=1].
Preconditions
- authThe victim user must be authenticated to the FlatPress CMS.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.