FlatPress 1.4 RC2 Security Update: Fixes XSS, CSRF, SQLi, and Session Vulnerabilities

Key Vulnerability Information Security Enhancements Session cookies are now more secure, preventing CSRF attacks (#4883) Removed CookieEditor and Emoticons plugins to eliminate unused script methods (#4822, #4875) Added nonce to PhotoSwipe and Emoticons plugins to prevent XSS attacks (#4822, #4875) Added CSP protection for contact form functionality (#5413) Blocked SQL injection attacks (#5409) Limited admin login attempts to 30 seconds to prevent brute force attacks (#4851) Added CSRF protection to the login page (#5421) Extended session cookie expiration time when user logs in (#4888) Fixed Security Vulnerabilities Fixed issue with FlatPress directly processing .js files; this fix must be activated before enabling FlatPress Protect plugin (#5790) Updated panel is now more secure against XSS attacks (#4822) Deleting entries and static pages is now more secure against XSS and CSRF attacks (#4820) XSS vulnerability in configuration menu has been fixed (#4878, #5650) Fixed Exif metadata leakage issue during image uploads (#4852) Prevented symlink attacks by checking permissions of settings files and directories (#5620) Removed XSS vulnerability from category management panel (#5760) Plugin Security GDPR Video plugin: Simple one-click solution compliant with GDPR, embeds YouTube, Facebook, and Vimeo videos (#5209) Removed LightBox2 plugin (still available from Flatpress-extras repo) (#5359) Removed LastComments Admin plugin (still available from Flatpress-extras repo) (#5559) Other Security-Related Changes RSS Feed plugin: Updated to version 1.9.0 - Image selector correctly displayed after enabling "Allow BBcode in comments" option (#5911) - BBcode creates simple URLs (#4442) - Files and images now sorted alphabetically (#5457) - DataChanger toolbar language formatting corrected (Czech, English, Japanese, Russian). Reported by NhWc. Thanks to WinMan support forum (#4728) - Only two functions output "next" or "previous" links if at least one entry exists for the month (#4728) - "Next", "previous", and "day" links now always include 4-digit numbers (#473) - First page date account based on URL settings now also works when FlatPress runs behind a load balancer or reverse proxy (#473) - Year links from single-digit months are always two digits (#473) - BlockParser plugin: Updated to version 1.0.1 - Plugin list refreshed immediately after activation/deactivation (#5213, #5244) - Removing outdated non-persistent comments no longer causes fatal errors (#5520) - Media Manager plugin: Updated to version 1.0.1 - Files and directories sorted alphabetically (#5457) - SEO Meta Tag Info plugin: - Removed cross-site scripting (XSS) vulnerability (#4931) - Removed XSS vulnerability in Gallery Capture plugin (#5774) ``` These details indicate that FlatPress 1.4 "Notturno" Release Candidate 2 includes numerous security improvements and fixes, such as enhanced session cookie security, protection against CSRF and XSS attacks, and remediation of security flaws in plugins.

Goal Reached Thanks to every supporter — we hit 100%!

FlatPress 1.4 RC2 Security Update: Fixes XSS, CSRF, SQLi, and Session Vulnerabilities

More from this source