Login Sign Up

CVE-2025-51504

7.6 HIGH
Cross-Site Scripting

📋 TL;DR

Microweber CMS 2.0 contains a stored cross-site scripting (XSS) vulnerability in the profile page's last name field. This allows attackers to inject malicious scripts that execute when other users view affected profiles. All Microweber CMS 2.0 installations using the vulnerable profile functionality are affected.

💻 Affected Systems

Products:
  • Microweber CMS
Versions: 2.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the /projects/profile homepage endpoint specifically in the last name field.

📦 What is this software?

Microweber by Microweber

View all CVEs affecting Microweber →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites.

🟠

Likely Case

Attackers inject malicious scripts to steal user session data or credentials from visitors viewing compromised profiles.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires ability to modify profile data (typically authenticated access). Public proof-of-concept demonstrates the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

1. Monitor Microweber security advisories for official patch. 2. Apply patch when available. 3. Test in development environment before production deployment.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation and HTML encoding for all user input in profile fields.

Content Security Policy

all

Implement strict CSP headers to prevent script execution from untrusted sources.

Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

  • Disable user profile functionality or restrict profile editing to trusted users only.
  • Implement web application firewall (WAF) rules to block XSS payloads in profile data.

🔍 How to Verify

Check if Vulnerable:

Test by entering XSS payloads like <script>alert('XSS')</script> in the last name field of user profiles and check if script executes when viewing the profile.

Check Version:

Check Microweber version in admin panel or via composer show microweber/microweber

Verify Fix Applied:

Attempt the same XSS payloads after implementing fixes; scripts should not execute and should be displayed as plain text.

📡 Detection & Monitoring

Log Indicators:

  • Unusual profile updates with script tags or JavaScript code in last name field
  • Multiple failed XSS attempts in user input logs

Network Indicators:

  • Outbound connections to suspicious domains from profile pages
  • Unexpected script loads in profile page responses

SIEM Query:

source="web_logs" AND ("<script" OR "javascript:" OR "onerror=" OR "onload=") AND uri="/projects/profile"

📊 Metadata

CVE ID: CVE-2025-51504
CVSS v3 Score: 7.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
CWE: CWE-79
EPSS Score: 0.07% exploit probability (20th percentile)
Published: August 1, 2025
Last Updated: August 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-51504, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)