Stored XSS Vulnerability in Flatpress CMS Admin Panel
CVE-2025-44108

4.8MEDIUM

Key Information:

Vendor: Flatpress
Status: Flatpress CMS
Vendor: CVE Published:; 19 May 2025

What is CVE-2025-44108?

A stored Cross-Site Scripting (XSS) vulnerability is present in the administration panel of Flatpress CMS prior to version 1.4. This vulnerability allows an attacker with admin privileges to inject a malicious JavaScript payload through the gallery captions component. Once the payload is injected, it gets stored persistently within the system, enabling the attacker to execute the script whenever the affected page is accessed, potentially compromising user security.

References

https://github.com/flatpressblog/flatpress/releases/tag/1...

https://github.com/flatpressblog/flatpress/commit/24a6fea...

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2025
Vulnerability Reserved
Apr 22, 2025