CVE-2025-51503

Vulnerability

Overview CVE-2025-51503 is a Stored Cross-Site Scripting (XSS) vulnerability in Microweber CMS 2.0 [2]. The bug resides in user profile fields, where input is not properly sanitized before being stored. When an administrator views the affected profile, the injected script executes in their browser [4].

Exploitation

An attacker needs only the ability to modify profile fields (e.g., by registering an account or compromising an existing user). No elevated privileges or special network access are required. The attack is persistent, as the malicious script remains stored in the database [4].

Impact

Successful exploitation allows arbitrary JavaScript execution in the context of the admin panel. This can lead to session hijacking, data exfiltration, or further compromise of the CMS instance [2].

Mitigation

As of the publication date, no official patch has been announced. Administrators should restrict profile editing to trusted users and consider applying input validation or a web application firewall until a fix is released [4].