CVE-2020-35241 - FlatPress 1.0.3 - 'Blog Content' Stored Cross-Site Scripting
Exploit Title: FlatPress 1.0.3 - 'Blog Content' Stored Cross-Site Scripting
Date: 04-12-2020
Exploit Author: Hemant Patidar (HemantSolo)
Vendor Homepage: https://www.flatpress.org/
Software Link: https://www.flatpress.org/download
Version: 1.0.3
Tested on: Windows 10/Kali Linux
Stored Cross-site scripting(XSS): Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.
Vulnerable Parameters: Admin Page and Blog Content.
Steps-To-Reproduce:
- Go to the FlatPress admin page.
- Now go to the Entries - Write Entry.
- Now enter any subject.
- Put the below payload in Content: "<script>alert(document.cookie)</script>"
- Now click on Save&Continue button.
- The XSS will be triggered.
