VYPR
← All advisories
Moderate severityNVD Advisory· Published Nov 7, 2023· Updated Sep 4, 2024

Improper Access Control in microweber/microweber

CVE-2023-5976

Description

Microweber prior to 2.0 contains an improper access control vulnerability allowing unauthenticated users to post comments on arbitrary content, including inactive or deleted items.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Microweber prior to 2.0 contains an improper access control vulnerability allowing unauthenticated users to post comments on arbitrary content, including inactive or deleted items.

The vulnerability is an improper access control flaw in Microweber, a drag-and-drop website builder and CMS built on Laravel. The issue resides in the comment submission functionality, where the UserCommentReplyComponent lacks proper validation of the rel_id parameter, which identifies the content the comment is attached to. Additionally, the scopeActive query scope did not correctly filter out inactive or deleted content, meaning comments could be posted to content that should not be accessible. [1][2][3]

An attacker can exploit this without authentication by sending a crafted POST request to the comment submission endpoint, specifying a rel_id belonging to inactive or deleted content. The fix, introduced in commit bc537ebe, adds a check that verifies the rel_id corresponds to an active content entry using Content::whereActive()->count(), and rejects comments if the count is zero. Before the fix, no such validation existed. [3][4]

Successful exploitation allows an attacker to post comments on any content item, regardless of its active or deleted status. This could be used to spam, deface, or inject malicious content into the comment section of pages that are no longer meant to be publicly accessible, potentially leading to further attacks if the comment content is rendered unsafely. [2][4]

The vulnerability affects Microweber versions prior to 2.0. The fix is available in the referenced commit and the vendor has released version 2.0 which addresses the issue. Users are strongly advised to upgrade to the latest version. [2][3][4]

References
  1. GitHub - microweber/microweber: Drag and Drop Website Builder and CMS with E-commerce
  2. NVD - CVE-2023-5976
  3. update · microweber/microweber@bc537eb
  4. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
microweber/microweberPackagist
< 2.0.02.0.0

Affected products

2

Patches

1
bc537ebe235b

update

https://github.com/microweber/microweberBozhidar SlaveykovJun 7, 2023via ghsa
commit
2 files changed · +17 6
  • src/MicroweberPackages/Content/Models/Content.php+7 1 modified
    @@ -113,7 +113,13 @@ class Content extends Model
 
     public function scopeActive($query)
     {
-        return $query->where('is_active', 1)->where('is_deleted', 0);
+        return $query
+            ->where('is_active', 1)
+            ->where(function($subQuery) {
+                $subQuery
+                    ->whereNull('is_deleted')
+                    ->orWhere('is_deleted', 0);
+            });
     }
 
     public function related()
  • userfiles/modules/comments/src/Http/Livewire/UserCommentReplyComponent.php+10 5 modified
    @@ -3,6 +3,7 @@
 namespace MicroweberPackages\Modules\Comments\Http\LiveWire;
 
 use Livewire\Component;
+use MicroweberPackages\Content\Models\Content;
 
 class UserCommentReplyComponent extends Component
 {
@@ -26,6 +27,7 @@ public function render()
     public function save()
     {
         $validate = [
+            'state.rel_id' => 'required|min:1',
             'state.comment_body' => 'required|min:3',
         ];
         if (!user_id()) {
@@ -35,13 +37,16 @@ public function save()
 
         $this->validate($validate);
 
-        $comment = new \MicroweberPackages\Comment\Models\Comment();
-
-        if (isset($this->state['rel_id'])) {
-            $comment->rel_id = $this->state['rel_id'];
-            $comment->rel_type = 'content';
+        $countContent = Content::where('id', $this->state['rel_id'])->whereActive()->count();
+        if ($countContent == 0) {
+            $this->addError('state.rel_id', 'Content not found');
+            return;
         }
 
+        $comment = new \MicroweberPackages\Comment\Models\Comment();
+        $comment->rel_id = $this->state['rel_id'];
+        $comment->rel_type = 'content';
+
         if (isset($this->state['reply_to_comment_id'])) {
             $comment->reply_to_comment_id = $this->state['reply_to_comment_id'];
         }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.