Impact
FlatPress contains a stored cross‑site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs.
Affected Systems
All installations of FlatPress are potentially affected; the CVE record does not specify which versions contain the vulnerability, so any version could be impacted until patched. The flaw exists in the core application and is present regardless of the site’s configuration, meaning any publicly accessible comment or contact form is exploitable.
Risk and Exploitability
The CVSS score of 8.4 indicates high severity. The EPSS score of < 1% indicates a very low exploitation probability, and the vulnerability is not listed in CISA KEV. The attack vector is inferred to be through normal user interaction; a malicious user can submit a comment or contact entry containing XSS payloads that are stored and later executed when the page is viewed. Administrators are impacted because their browsers will execute the stored script upon visiting the site. No evidence of active exploitation is present in the CVE description, so the primary risk is the potential for widespread XSS if the flaw is utilized.
OpenCVE Enrichment