CVE-2025-29602

07 May 2025 - less than 1 min read time
Tags: CVE Web Security xss

CVE-2025-29602 - Stored cross site scripting(XSS) vulnerabilities in the FlatPress CMS 1.3.1

Description

A stored Cross-Site Scripting (XSS) vulnerability exists in the administration panel of Flatpress CMS 1.3.1. An attacker with admin privileges can inject a malicious JavaScript payload into the system, which is then stored persistently.

When a regular user visits the compromised page (e.g., a blog post), the injected payload executes automatically in the victim’s browser.

Affected product

• Flatpress
• Version : <=1.3.1
• Component : Edit category

⚠️ Impact

• Steal session cookies.
• Phishing Attacks
• Remote Code Execution (via JavaScript)
• Redirect users to malicious sites.

Step to Reproduce:

1.Download the FlatPress CMS from a trustworthy source. (https://github.com/flatpressblog/flatpress)

2.Launch a local PHP server using the command: php -S 127.0.0.1:80

3.Open the following URL in your browser: https://127.0.0.1/admin.php?p=entry&action=cats

4.in the edit categories field, insert the payload. A pop-up displaying the number “1” will appear on the screen, confirming the successful execution of the payload in the home page.

<iframe srcdoc=<svg/o&#x6Eload&equals;alert&|par;1)&gt;> :9

Code area

Flatpress github

Reference:

https://portswigger.net/web-security/cross-site-scripting

Fixed Version

FlatPress 1.4 “Notturno” link

CVE Assignment

• CVE ID: CVE-2025-29602