CVE-2025-25460

MEDIUM

Flatpress - XSS

Title source: rule

Description

A stored Cross-Site Scripting (XSS) vulnerability was identified in FlatPress 1.3.1 within the "Add Entry" feature. This vulnerability allows authenticated attackers to inject malicious JavaScript payloads into blog posts, which are executed when other users view the posts. The issue arises due to improper input sanitization of the "TextArea" field in the blog entry submission form.

Exploits (1)

nomisec WRITEUP 1 stars

by RoNiXxCybSeC0101 · poc

https://github.com/RoNiXxCybSeC0101/CVE-2025-25460

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] https://github.com/RoNiXxCybSeC0101/CVE-2025-25460

[Product] https://github.com/flatpressblog/flatpress

Scores

CVSS v3 4.8

EPSS 0.0197

EPSS Percentile 83.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

flatpress/flatpress 1.3.1

Published Feb 24, 2025

Tracked Since Feb 18, 2026