Stored XSS in multiple menus in flatpressblog/flatpress

Valid

Reported on

Dec 21st 2022


Description

The demo website is affected of stored XSS at multiple menus.

Proof of Concept 01

#1. Access to the demo website http://demos4.softaculous.com/

#2. Login with admin user they provide, press on menu Uploader, in Uploader tab, try to upload whichever file then choose Media manager tab.

#3. We can see that the file is uploaded there and the web app allows us to add new gallery. Write a payload xss there and press Add button (In this scenario, I used payload "><img src=x onerror=alert("XSS")>

#4. The payload will be triggered immediately.

Link: https://drive.google.com/file/d/1VpZVguIL0hc-ZK-quD4ZAfvsy38OQuMu/view?usp=sharing

Proof of Concept 02

#1. Access to the demo website and press on Entries menu.

#2. Choose the tab "Write Entry", in Textarea, write xss payload "><img src=x onerror=alert("XSS")>

#3. Press "Save & Continue" and the payload xss will be trigged in some places. (Watch PoC video for detail)

Link: https://drive.google.com/file/d/12zOYzQ4GWHW5QMIq5NkIViVaxpMRtQFD/view?usp=sharing

Note: This happen the same with menu Statics.

Impact

Be able to steal user's cookies.

We are processing your report and will contact the flatpressblog/flatpress team within 24 hours. 5 months ago
Chuu modified the report
5 months ago
Chuu modified the report
5 months ago
We have contacted a member of the flatpressblog/flatpress team and are waiting to hear back 5 months ago
flatpressblog/flatpress maintainer validated this vulnerability 5 months ago

Part 1 is valid, thanks for reporting. Part 2 is "as designed": Site admin is able to put custom HTML and JS into entries.

Chuu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
flatpressblog/flatpress maintainer marked this as fixed in 1.3 with commit d3f329 5 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 1st 2023
Chuu
5 months ago

Researcher


thank you so much ! have a good day

flatpressblog/flatpress maintainer published this vulnerability 2 months ago
to join this conversation