FlatPress 1.5.1 Critical XSS: Unauthenticated Attackers Can Hijack Admin Accounts via Comment URL

A critical stored Cross-Site Scripting (XSS) vulnerability in FlatPress 1.5.1 enables unauthenticated attackers to seize full administrative control of the blogging platform. The flaw allows anonymous users to inject malicious JavaScript payloads directly into the comment URL field. The attack triggers when an administrator simply views the pending comments dashboard, executing the script within the admin's browser session and enabling a complete account takeover.

The vulnerability, rated a critical 9.6 on the CVSS 3.1 scale, requires no prior authentication or privileges. An attacker only needs to submit a comment with a maliciously crafted URL. The system fails to properly sanitize this user input before rendering it in HTML for administrative review. This creates a direct path for an attacker to change the administrator's password without needing the old one, effectively handing over the keys to the entire site.

The discovery highlights a severe security oversight in a core user interaction feature. While the immediate risk is total compromise of a FlatPress installation, the underlying issue of improper input validation in comment handling could affect earlier versions and similar CMS architectures. Site administrators are under immediate pressure to apply patches or implement strict input filtering to mitigate this high-risk vector for credential theft and site hijacking.