Users Account Pre-Takeover or Users Account Takeover. in microweber/microweber
Description
Account pre-takeover or takeover in Microweber prior to 1.2.15 due to missing email verification and social login validation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Account pre-takeover or takeover in Microweber prior to 1.2.15 due to missing email verification and social login validation.
Vulnerability
In Microweber versions prior to 1.2.15, the registration process lacks email confirmation, and social login does not validate whether an account already exists for the provided email. This allows an attacker to create an account using a victim's email address, effectively taking over the victim's account pre-authentication [1][4].
Exploitation
An attacker only needs the victim's email address. By registering a new account with that email, no confirmation is required, granting the attacker immediate access. Additionally, social login can be used to link an existing social account to the victim's email without checking for an existing account, further enabling account takeover [1][4].
Impact
Successful exploitation gives the attacker full control of the victim's account. The attacker can view all activities (confidentiality breach), modify or corrupt data (integrity impact), and potentially disrupt availability. The victim may remain unaware of the takeover [1][4].
Mitigation
The vulnerability is fixed in Microweber version 1.2.15. Users should upgrade to this version or later. No workaround is available other than updating [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
microweber/microweberPackagist | < 1.2.15 | 1.2.15 |
Affected products
2- Range: unspecified
Patches
1c162dfffb9bfUpdate index.blade.php
1 file changed · +4 −2
src/MicroweberPackages/Shop/resources/views/index.blade.php+4 −2 modified@@ -46,9 +46,11 @@ <div class="d-flex"> <p class="col-6 mb-0"> @if($product->hasSpecialPrice()) - <span class="price-old"><?php print currency_format($product->specialPrice); ?></span> + <span class="price-old"><?php print currency_format($product->price); ?></span> + <span class="money"><?php print currency_format($product->specialPrice); ?></span> + @else + <span class="money"><?php print currency_format($product->price); ?></span> @endif - <span class="money"><?php print currency_format($product->price); ?></span> </p> <a class="col-6 text-end text-right align-self-center" href="{{content_link($product->id)}}"> View</a>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-73rp-q4rx-5grcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-1631ghsaADVISORY
- packetstormsecurity.com/files/167376/Microweber-CMS-1.2.15-Account-Takeover.htmlmitrex_refsource_MISC
- github.com/microweber/microweber/commit/c162dfffb9bfd264d232aaaf5bb3daee16a3cb38ghsax_refsource_MISCWEB
- huntr.dev/bounties/5494e258-5c7b-44b4-b443-85cff7ae0ba4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.