Listen to this Post
How the CVE Works
CVE-2025-29602 is a stored Cross-Site Scripting (XSS) vulnerability in FlatPress 1.3.1’s administration panel, specifically in the “Manage Categories” section. An attacker with admin privileges can inject malicious JavaScript payloads into category names or descriptions. When another administrator views or edits these categories, the script executes in their browser, potentially leading to session hijacking, unauthorized actions, or data theft. The vulnerability arises due to insufficient input sanitization in the admin backend.
DailyCVE Form
Platform: FlatPress
Version: 1.3.1
Vulnerability: Stored XSS
Severity: Medium
Date: 2025-06-16
Prediction: Patch by 2025-08-15
What Undercode Say
Check vulnerable version
flatpress-cli --version | grep "1.3.1"
Exploit PoC (simulated)
curl -X POST -d "category=<script>alert('XSS')</script>" http://target/admin/categories
Mitigation test
grep -r "htmlspecialchars" /var/www/flatpress/admin/
How Exploit
1. Log in as admin.
2. Navigate to “Manage Categories.”
3. Inject `` into category fields.
- Trigger execution when another admin views the entry.
Protection from this CVE
- Update to FlatPress 1.3.2+.
- Sanitize user input with
htmlspecialchars(). - Implement CSP headers.
Impact
- Admin account compromise.
- Unauthorized CMS modifications.
- Data exfiltration.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
