CVE-2025-25460

Name of the Vulnerable Software and Affected Versions FlatPress version 1.3.1

Description A stored Cross-Site Scripting issue was identified within the "Add Entry" feature, allowing authenticated attackers to inject malicious JavaScript payloads into blog posts. This is executed when other users view the posts due to improper input sanitization of the TextArea field in the blog entry submission form.

Recommendations For FlatPress version 1.3.1, ensure proper input sanitization of the TextArea field in the blog entry submission form to prevent malicious JavaScript injections. As a temporary workaround, consider restricting access to the "Add Entry" feature until a fix is applied.