CVE-2025-51504

Vulnerability

Overview

Microweber CMS 2.0 [1] is susceptible to a stored Cross-Site Scripting (XSS) vulnerability through the last name field on the /projects/profile (homepage) endpoint [2]. An attacker can inject arbitrary JavaScript code that gets stored and executed when other users view the affected profile.

Exploitation

To exploit this vulnerability, an attacker must be able to edit their profile's last name field. The vulnerability does not require authentication to be bypassed but does require the attacker to have access to a user account that can modify the profile. The injected script executes in the context of the victim's browser when they navigate to the profile page.

Impact

Successful exploitation allows an attacker to perform actions on behalf of the victim, such as stealing session cookies, redirecting to malicious sites, or defacing the profile page. The impact is limited to the browser session of the user viewing the manipulated profile.

Mitigation

As of the publication date, Microweber has not released a patch for this vulnerability. Users are advised to sanitize input for the last name field or implement Content Security Policy (CSP) headers as a temporary workaround. The vulnerability was reported via the GitHub repository [3] [4].