VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 1, 2025· Updated Aug 1, 2025

CVE-2025-51501

CVE-2025-51501

Description

Reflected Cross-Site Scripting (XSS) in the id parameter of the live_edit.module_settings API endpoint in Microweber CMS2.0 allows execution of arbitrary JavaScript.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A reflected XSS vulnerability in the id parameter of Microweber CMS 2.0's live_edit.module_settings API endpoint allows attackers to execute arbitrary JavaScript.

Vulnerability

Overview

CVE-2025-51501 is a reflected Cross-Site Scripting (XSS) vulnerability found in Microweber CMS version 2.0. The flaw resides in the id parameter of the live_edit.module_settings API endpoint. Microweber is a drag-and-drop website builder and CMS built on Laravel 10, offering real-time editing and an e-commerce platform. The vulnerability allows an attacker to inject arbitrary client-side scripts via the id parameter, which are then reflected back to the user's browser without proper sanitization or encoding [1][2].

Exploitation and

Attack Surface

Exploitation of this vulnerability requires no authentication and can be triggered by convincing a logged-in user to click on a crafted link. The attacker does not need any special network position; the attack can be carried out remotely via a malicious URL. The id parameter is directly reflected without validation, enabling the injection of arbitrary HTML and JavaScript. Given the administrative nature of the live_edit.module_settings endpoint, the attack surface is particularly dangerous as it targets backend users [3][4].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript within the context of the victim's browser session. This can lead to session hijacking, defacement of the admin panel, or exfiltration of sensitive data such as cookies, tokens, or API keys. Because the endpoint is associated with module settings, an attacker could potentially alter site configurations or escalate privileges. The impact is amplified by the fact that Microweber is often used for e-commerce, where session compromise could expose customer data or payment information [2][4].

Mitigation

Status

As of the publication date (2025-08-01), no official patch from Microweber has been reported. Users are advised to sanitize the id parameter manually or apply input validation, restrict access to the affected endpoint, and enforce Content Security Policy (CSP) headers. Given the lack of a vendor fix, organizations using Microweber 2.0 should monitor the vendor's GitHub repository for updates and consider temporary workarounds until a patch is available [1][3].

References
  1. GitHub - microweber/microweber: Drag and Drop Website Builder and CMS with E-commerce
  2. NVD - CVE-2025-51501
  3. GitHub - progprnv/CVE-Reports
  4. CVE-Reports/CVE-2025-51501 at main · progprnv/CVE-Reports

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
microweber/microweberPackagist
>= 2.0.0, <= 2.0.19

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.