Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2020-35241 - FlatPress 1.0.3 - 'Blog Content' Stored Cross-Site Scripting

Exploit Title: FlatPress 1.0.3 - 'Blog Content' Stored Cross-Site Scripting

Date: 04-12-2020

Exploit Author: Hemant Patidar (HemantSolo)

Vendor Homepage: https://www.flatpress.org/

Software Link: https://www.flatpress.org/download

Version: 1.0.3

Tested on: Windows 10/Kali Linux

Stored Cross-site scripting(XSS): Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.

Vulnerable Parameters: Admin Page and Blog Content.

Steps-To-Reproduce:

  1. Go to the FlatPress admin page.
  2. Now go to the Entries - Write Entry.
  3. Now enter any subject.
  4. Put the below payload in Content: "<script>alert(document.cookie)</script>"
  5. Now click on Save&Continue button.
  6. The XSS will be triggered.

POC: alt text