CVE-2025-51502

Overview

CVE-2025-51502 is a reflected cross-site scripting (XSS) vulnerability found in Microweber CMS version 2.0. The issue exists in the /admin/page/create page, where the layout parameter is not properly sanitized before being reflected back to the user. An authenticated administrator who visits a crafted URL containing malicious JavaScript in the layout parameter will have that script executed in their browser session.

Exploitation

Context

The attack requires the target to be an authenticated administrator[1]. An attacker can craft a malicious link that, when clicked by an admin, triggers arbitrary JavaScript execution. This is a reflected XSS, meaning the payload is delivered via the URL and executed in the context of the vulnerable page[2]. No additional privileges beyond a valid admin session are needed for exploitation, but the attacker must lure an admin to follow the crafted link.

Impact

Successful exploitation allows arbitrary JavaScript execution in the admin's browser session. This could lead to session hijacking, admin account takeover, forced actions on behalf of the admin, or injection of malicious content into the CMS[2]. Since the CMS has drag-and-drop page building and e-commerce features[1], the impact could extend to site defacement, credential theft, or unauthorized modifications to store content.

Mitigation

As of the publication date, no patch has been released by Microweber. Users are advised to avoid clicking untrusted links while logged into the admin panel and to monitor official channels for updates[2][3]. The vendor has not yet acknowledged the vulnerability in their repository[1].