CVE-2025-25460
Description
A stored XSS vulnerability in FlatPress 1.3.1's Add Entry feature allows authenticated attackers to inject malicious scripts into blog posts, leading to potential session hijacking or phishing.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in FlatPress 1.3.1's Add Entry feature allows authenticated attackers to inject malicious scripts into blog posts, leading to potential session hijacking or phishing.
Vulnerability
FlatPress 1.3.1 contains a stored Cross-Site Scripting (XSS) vulnerability in the "Add Entry" feature. The TextArea field fails to properly sanitize user input, allowing injection of malicious JavaScript payloads that persist in blog posts [1].
Exploitation
An authenticated attacker (e.g., admin) can log in, navigate to the Add Entry section, and inject a JavaScript payload such as `` into the text area. Saving the entry stores the payload, which executes when any user views the post [1].
Impact
Successful exploitation results in persistent JavaScript execution in victims' browsers. This can lead to session hijacking (theft of admin cookies), phishing attacks, or page defacement [1].
Mitigation
FlatPress has patched the issue in version 1.4-dev [1]. Users should update to this version. As a workaround, implement strict input sanitization and deploy a Content Security Policy (CSP) to block inline scripts [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper input sanitization of the "TextArea" field in the blog entry submission form allows injection of arbitrary JavaScript."
Attack vector
An authenticated attacker (e.g., an admin) navigates to the "Add Entry" section and inserts a malicious JavaScript payload into the TextArea field, such as `
Affected code
The vulnerability resides in the "Add Entry" feature of FlatPress 1.3.1, specifically in the "TextArea" field of the blog entry submission form [ref_id=1]. The exact file path is not specified in the advisory, but the component is the entry creation form used by authenticated users.
What the fix does
No patch diff is provided in the advisory. The vendor confirmed the issue and is patching it in the FlatPress 1.4-dev branch [ref_id=1]. The recommended remediation includes sanitizing user inputs before rendering, implementing a Content Security Policy (CSP) to block inline scripts, and updating to FlatPress 1.4-dev [ref_id=1].
Preconditions
- authAttacker must be authenticated (e.g., logged in as admin) to access the 'Add Entry' feature.
- inputThe victim must visit the affected blog post where the payload is stored.
Reproduction
1. Login as an Admin in FlatPress v1.3.1. 2. Navigate to the "Add Entry" section. 3. Insert the following XSS payload in the text area: `
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
News mentions
0No linked articles in our index yet.