CVE-2025-44108

A stored Cross-Site Scripting (XSS) vulnerability exists in the administration panel of Flatpress CMS before 1.4 via the gallery captions component. An attacker with admin privileges can inject a malicious JavaScript payload into the system, which is then stored persistently.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/flatpressblog/flatpress/commit/24a6feacf1747ec19725b52c097715c8ab9c4559	Patch
https://github.com/flatpressblog/flatpress/releases/tag/1.3.1	Release Notes
https://github.com/flatpressblog/flatpress/releases/tag/1.4.rc2	Release Notes
https://harish0x.github.io/blog/CVE-2025-44108	Exploit Third Party Advisory
https://harish0x.github.io/blog/CVE-2025-44108	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:flatpress:flatpress:*:*:*:*:*:*:*:*

History

12 Jun 2025, 16:26

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-19 14:15

Updated : 2025-06-12 16:26

NVD link : CVE-2025-44108

Mitre link : CVE-2025-44108

CVE.ORG link : CVE-2025-44108

JSON object : View

Products Affected

flatpress

flatpress

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-44108", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "published": "2025-05-19T14:15:24.340", "references": [{"url": "https://github.com/flatpressblog/flatpress/commit/24a6feacf1747ec19725b52c097715c8ab9c4559", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://github.com/flatpressblog/flatpress/releases/tag/1.3.1", "tags": ["Release Notes"], "source": "cve@mitre.org"}, {"url": "https://github.com/flatpressblog/flatpress/releases/tag/1.4.rc2", "tags": ["Release Notes"], "source": "cve@mitre.org"}, {"url": "https://harish0x.github.io/blog/CVE-2025-44108", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://harish0x.github.io/blog/CVE-2025-44108", "tags": ["Exploit", "Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A stored Cross-Site Scripting (XSS) vulnerability exists in the administration panel of Flatpress CMS before 1.4 via the gallery captions component. An attacker with admin privileges can inject a malicious JavaScript payload into the system, which is then stored persistently."}, {"lang": "es", "value": "Existe una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en el panel de administraci\u00f3n de Flatpress CMS (versi\u00f3n anterior a la 1.4) a trav\u00e9s del componente de subt\u00edtulos de la galer\u00eda. Un atacante con privilegios de administrador puede inyectar un payload de JavaScript maliciosa en el sistema, que posteriormente se almacena de forma persistente."}], "lastModified": "2025-06-12T16:26:10.203", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:flatpress:flatpress:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EA4D125F-CD88-4951-8066-05871F2E4EDD", "versionEndExcluding": "1.4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}