FlatpressCVEs & Vulnerabilities

36 CVEs affecting Flatpress products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

flatpress 36
CVE-2025-44108MEDIUM

A stored Cross-Site Scripting (XSS) vulnerability exists in the administration panel of Flatpress CMS before 1.4 via the gallery captions component. An attacker with admin privileges can inject a malicious JavaScript payload into the system, which is then stored persistently.

19 May 2025
4.8
CVSS
CVE-2025-29602MEDIUM

flatpress 1.3.1 is vulnerable to Cross Site Scripting (XSS) in Administration area via Manage categories.

7 May 2025
6.1
CVSS
CVE-2024-9847HIGH

FlatPress CMS version latest is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow an attacker to enable or disable plugins on behalf of a victim user. The attacker can craft a malicious link or script that, when clicked by an authenticated user, will send a request to the FlatPress CMS server to perform the desired action on behalf of the victim user. Since the request is authenticated, the server will process it as if it were initiated by the legitimate user, effectively allowing the attacker to perform unauthorized actions. This vulnerability is fixed in version 1.4.dev.

20 Mar 2025
8.0
CVSS
CVE-2024-9699MEDIUM

A vulnerability in the file upload functionality of the FlatPress CMS admin panel (version latest) allows an attacker to upload a file with a JavaScript payload disguised as a filename. This can lead to a Cross-Site Scripting (XSS) attack if the uploaded file is accessed by other users. The issue is fixed in version 1.4.dev.

20 Mar 2025
5.4
CVSS
CVE-2024-4023HIGH

A stored cross-site scripting (XSS) vulnerability exists in flatpressblog/flatpress version 1.3. When a user uploads a file with a `.xsig` extension and directly accesses this file, the server responds with a Content-type of application/octet-stream, leading to the file being processed as an HTML file. This allows an attacker to execute arbitrary JavaScript code, which can be used to steal user cookies, perform HTTP requests, and access content of the same origin.

20 Mar 2025
8.1
CVSS
CVE-2025-25460MEDIUM

A stored Cross-Site Scripting (XSS) vulnerability was identified in FlatPress 1.3.1 within the "Add Entry" feature. This vulnerability allows authenticated attackers to inject malicious JavaScript payloads into blog posts, which are executed when other users view the posts. The issue arises due to improper input sanitization of the "TextArea" field in the blog entry submission form.

24 Feb 2025
4.8
CVSS
CVE-2024-41290HIGH

FlatPress CMS v1.3.1 1.3 was discovered to use insecure methods to store authentication data via the cookie's component.

2 Oct 2024
8.1
CVSS
CVE-2024-33210MEDIUM

A cross-site scripting (XSS) vulnerability has been identified in Flatpress 1.3. This vulnerability allows an attacker to inject malicious scripts into web pages viewed by other users.

2 Oct 2024
5.4
CVSS
CVE-2024-33209MEDIUM

FlatPress v1.3 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript code into the "Add New Entry" section, which allows them to execute arbitrary code in the context of a victim's web browser.

2 Oct 2024
5.4
CVSS
CVE-2024-31835MEDIUM

Cross Site Scripting vulnerability in flatpress CMS Flatpress v1.3 allows a remote attacker to execute arbitrary code via a crafted payload to the file name parameter.

1 Oct 2024
4.8
CVSS
CVE-2024-25412MEDIUM

A cross-site scripting (XSS) vulnerability in Flatpress v1.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email field.

27 Sep 2024
6.1
CVSS
CVE-2024-25411MEDIUM

A cross-site scripting (XSS) vulnerability in Flatpress v1.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username parameter in setup.php.

27 Sep 2024
6.1
CVSS
CVE-2023-1148MEDIUM

Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3.

2 Mar 2023
4.8
CVSS
CVE-2023-1147MEDIUM

Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3.

2 Mar 2023
5.4
CVSS
CVE-2023-1146MEDIUM

Cross-site Scripting (XSS) - Generic in GitHub repository flatpressblog/flatpress prior to 1.3.

2 Mar 2023
5.4
CVSS
CVE-2023-1107MEDIUM

Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3.

2 Mar 2023
5.4
CVSS
CVE-2023-1106MEDIUM

Cross-site Scripting (XSS) - Reflected in GitHub repository flatpressblog/flatpress prior to 1.3.

2 Mar 2023
6.1
CVSS
CVE-2023-1105HIGH

External Control of File Name or Path in GitHub repository flatpressblog/flatpress prior to 1.3.

1 Mar 2023
8.1
CVSS
CVE-2023-1104MEDIUM

Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3.

1 Mar 2023
5.4
CVSS
CVE-2023-0947CRITICAL

Path Traversal in GitHub repository flatpressblog/flatpress prior to 1.3.

22 Feb 2023
9.8
CVSS
CVE-2022-4822MEDIUM

A vulnerability, which was classified as problematic, has been found in FlatPress. This issue affects some unknown processing of the file setup/lib/main.lib.php of the component Setup. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is 5f23b4c2eac294cc0ba5e541f83a6f8a26f9fed1. It is recommended to apply a patch to fix this issue. The identifier VDB-217001 was assigned to this vulnerability.

29 Dec 2022
6.1
CVSS
CVE-2022-4821MEDIUM

A vulnerability classified as problematic was found in FlatPress. This vulnerability affects the function onupload of the file admin/panels/uploader/admin.uploader.php of the component XML File Handler/MD File Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The name of the patch is 3cc223dec5260e533a84b5cf5780d3a4fbf21241. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217000.

29 Dec 2022
6.1
CVSS
CVE-2022-4820MEDIUM

A vulnerability classified as problematic has been found in FlatPress. This affects an unknown part of the file admin/panels/entry/admin.entry.list.php of the component Admin Area. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The name of the patch is 229752b51025e678370298284d42f8ebb231f67f. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216999.

29 Dec 2022
6.1
CVSS
CVE-2022-4755MEDIUM

A vulnerability was found in FlatPress and classified as problematic. This issue affects the function main of the file fp-plugins/mediamanager/panels/panel.mediamanager.file.php of the component Media Manager Plugin. The manipulation of the argument mm-newgallery-name leads to cross site scripting. The attack may be initiated remotely. The name of the patch is d3f329496536dc99f9707f2f295d571d65a496f5. It is recommended to apply a patch to fix this issue. The identifier VDB-216869 was assigned to this vulnerability.

27 Dec 2022
6.1
CVSS
CVE-2022-4748CRITICAL

A vulnerability was found in FlatPress. It has been classified as critical. This affects the function doItemActions of the file fp-plugins/mediamanager/panels/panel.mediamanager.file.php of the component File Delete Handler. The manipulation of the argument deletefile leads to path traversal. The name of the patch is 5d5c7f6d8f072d14926fc2c3a97cdd763802f170. It is recommended to apply a patch to fix this issue. The identifier VDB-216861 was assigned to this vulnerability.

27 Dec 2022
9.8
CVSS
CVE-2022-4605MEDIUM

Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3.

18 Dec 2022
5.4
CVSS
CVE-2022-4606CRITICAL

PHP Remote File Inclusion in GitHub repository flatpressblog/flatpress prior to 1.3.

18 Dec 2022
9.8
CVSS
CVE-2022-40047MEDIUM

Flatpress v1.2.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the page parameter at /flatpress/admin.php.

11 Oct 2022
5.4
CVSS
CVE-2022-40048HIGH

Flatpress v1.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the Upload File function.

29 Sep 2022
7.2
CVSS
CVE-2021-41432MEDIUM

A stored cross-site scripting (XSS) vulnerability exists in FlatPress 1.2.1 that allows for arbitrary execution of JavaScript commands through blog content.

23 Jun 2022
5.4
CVSS
CVE-2022-24588MEDIUM

Flatpress v1.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability in the Upload SVG File function.

15 Feb 2022
5.4
CVSS
CVE-2020-22761HIGH

Cross Site Request Forgery (CSRF) vulnerability in FlatPress 1.1 via the DeleteFile function in flat/admin.php.

30 Jul 2021
8.8
CVSS
CVE-2020-35241MEDIUMpoc

FlatPress 1.0.3 is affected by cross-site scripting (XSS) in the Blog Content component. This vulnerability can allow an attacker to inject the XSS payload in Blog content via the admin panel. Each time any user will go to that blog page, the XSS triggers and the attacker can steal the cookie according to the crafted payload.

30 Dec 2020
4.8
CVSS
CVE-2014-100036MEDIUM

Cross-site scripting (XSS) vulnerability in FlatPress 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the content parameter to the default URI.

13 Jan 2015
4.3
CVSS
CVE-2009-4461MEDIUMpoc

Multiple cross-site scripting (XSS) vulnerabilities in FlatPress 0.909 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) contact.php, (2) login.php, and (3) search.php.

30 Dec 2009
4.3
CVSS
CVE-2008-4120MEDIUMpoc

Multiple cross-site scripting (XSS) vulnerabilities in FlatPress 0.804 allow remote attackers to inject arbitrary web script or HTML via the (1) user or (2) pass parameter to login.php, or the (3) name parameter to contact.php.

29 Sep 2008
4.3
CVSS
← PrevPage 1 / 1Next →