Stored XSS via blog author parameter on admin.php?p=config in flatpressblog/flatpress

Valid

Reported on

Jan 1st 2023


Description

The blog author parameter is unsanitized on the page admin.php?p=config. In this way is possible to inject arbitrary javascript code

Proof of Concept

  • Login as regular user
  • Go to http://localhost/flatpress/admin.php?p=config
  • Set as blog author "><script>alert(document.domain)</script>
  • Refresh page

image

Impact

JavaScript code can be executed on the user end without any interaction.

We are processing your report and will contact the flatpressblog/flatpress team within 24 hours. 4 months ago
We have contacted a member of the flatpressblog/flatpress team and are waiting to hear back 4 months ago
flatpressblog/flatpress maintainer validated this vulnerability 4 months ago
leorac has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
flatpressblog/flatpress maintainer marked this as fixed in 1.3 with commit 0ee4f2 4 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 1st 2023
flatpressblog/flatpress maintainer published this vulnerability 2 months ago
to join this conversation