CVE-2025-29602

Vulnerability

FlatPress 1.3.1 is vulnerable to stored Cross-Site Scripting (XSS) in the Administration area's "Manage categories" functionality [1]. The vulnerability allows an attacker with administrative access to inject arbitrary HTML and JavaScript code into category names or descriptions. When other administrators or users view the category list in the admin panel, the injected script executes in their browser. The issue affects the flatpress 1.3.1 release and possibly earlier versions; the open-source project is available at GitHub - flatpressblog/flatpress [1].

Exploitation

An attacker must have valid administrator-level credentials to access the FlatPress administration panel. Once authenticated, the attacker navigates to the "Manage categories" page, creates or edits a category, and inserts a malicious payload (e.g., ``) into the category name or description field. The application does not sanitize or escape this input before storing it [1]. When any administrator or privileged user views the categories list, the payload executes in their browser session.

Impact

Successful exploitation leads to stored Cross-Site Scripting, allowing the attacker to execute arbitrary JavaScript in the context of the victim's administration session. Potential impacts include theft of session cookies, privilege escalation, defacement of the admin interface, or forced actions on behalf of the victim within the FlatPress admin area [1]. The attack is limited to users who have access to the admin panel; it does not affect the public-facing blog without further chaining.

Mitigation

As of this writing, no official patched version of FlatPress has been released for CVE-2025-29602 [1]. The vendor has been notified but no fix is yet available. Administrators should restrict admin panel access to trusted users only, apply strict input validation on category fields manually, or use content security policy (CSP) headers to reduce the impact of XSS. If the risk is unacceptable, consider disabling the category management feature or migrating to an alternative blogging platform until a patch is published [1].