CVE-2025-25460

MEDIUM

FlatPress 1.3.1 - Authenticated Stored Cross-Site Scripting in Add Entry TextArea Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-25460. PoCs published by RoNiXxCybSeC0101.

AI-analyzed exploit summary This repository contains a detailed writeup and proof-of-concept for CVE-2025-25460, a stored XSS vulnerability in FlatPress CMS v1.3.1. The vulnerability allows authenticated attackers to inject malicious JavaScript payloads into blog posts via the 'TextArea' field.

Description

A stored Cross-Site Scripting (XSS) vulnerability was identified in FlatPress 1.3.1 within the "Add Entry" feature. This vulnerability allows authenticated attackers to inject malicious JavaScript payloads into blog posts, which are executed when other users view the posts. The issue arises due to improper input sanitization of the "TextArea" field in the blog entry submission form.

Exploits (1)

nomisec WRITEUP 1 stars
by RoNiXxCybSeC0101 · poc
https://github.com/RoNiXxCybSeC0101/CVE-2025-25460

This repository contains a detailed writeup and proof-of-concept for CVE-2025-25460, a stored XSS vulnerability in FlatPress CMS v1.3.1. The vulnerability allows authenticated attackers to inject malicious JavaScript payloads into blog posts via the 'TextArea' field.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: FlatPress CMS v1.3.1
Auth required
Prerequisites: Authenticated access to FlatPress CMS · Access to the 'Add Entry' feature
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 4.8
EPSS 0.0050
EPSS Percentile 39.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
flatpress/flatpress 1.3.1
Published Feb 24, 2025
Tracked Since Feb 18, 2026