A stored Cross-Site Scripting vulnerability in FlatPress allows unauthenticated attackers to inject malicious scripts into comment and contact forms, potentially hijacking user sessions.

The vulnerability exists because name, URL, and email fields in comment and contact forms are rendered without proper output encoding. This allows an unauthenticated attacker to inject malicious scripts that execute in the context of an administrator's or other user's browser session.

This vulnerability carries a CVSS score of 8.2, reflecting the high risk of session hijacking and unauthorized administrative actions. Successful exploitation can lead to full site compromise, data theft, and the distribution of malicious content to legitimate site visitors, causing significant reputational damage.

Immediate Action: Update FlatPress to the latest version or apply the specific patch referenced in the vendor's security advisory.

Proactive Monitoring: Audit site comments and contact form submissions for suspicious script tags or encoded payloads.

Compensating Controls: Implement a strict Content Security Policy (CSP) to restrict the execution of unauthorized scripts and utilize a WAF to block common XSS attack patterns.

Public Exploit Available: false

The ability for an unauthenticated attacker to execute arbitrary JavaScript makes this a high-priority vulnerability. Administrators must apply the necessary patches immediately to prevent session hijacking and cross-site scripting attacks against their users and administrators.