CVE-2025-44108

Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in the administration panel of Flatpress CMS versions before 1.4 (specifically, prior to the 1.4 release candidate). The flaw resides in the gallery captions component, where an attacker with administrative privileges can inject malicious JavaScript payloads that are stored persistently. This issue is acknowledged in the FlatPress 1.4 release notes [1] and credits researcher harish0x [2].

Exploitation

Exploitation requires an attacker to have valid admin credentials for a Flatpress blog. The attacker navigates to the gallery management section and crafts a caption containing JavaScript code. Upon saving, the payload is stored in the system's database. The stored script will then execute in the context of any user's browser that views the affected gallery, including other administrators or visitors.

Impact

Successful exploitation leads to persistent execution of arbitrary JavaScript in the context of the Flatpress admin panel. This can result in session hijacking, defacement, or theft of sensitive information, particularly from other administrators who view the gallery. The attacker achieves persistence, meaning the payload remains active until manually removed.

Mitigation

The vulnerability is fixed in FlatPress 1.4 Release Candidate 2 (and presumably the final 1.4 release). Users should upgrade to version 1.4.rc2 or later [1]. No workarounds are documented for unpatched versions.