CVE-2025-70791
Description
Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-Site Scripting (XSS) vulnerability in Microweber 2.0.19 allows attackers to execute arbitrary JavaScript via the orderDirection parameter in the admin abandoned orders endpoint.
Vulnerability
Overview
CVE-2025-70791 is a reflected Cross-Site Scripting (XSS) vulnerability in the /admin/order/abandoned endpoint of Microweber versions up to 2.0.19. The root cause is the lack of sanitization on the orderDirection parameter, which is directly reflected in the page output without proper encoding or filtering [1]. The fix, introduced in commit aa0791fc, applies the xss_clean() function to the parameter before use [3].
Exploitation
An attacker can craft a URL containing a malicious JavaScript payload in the orderDirection parameter, such as ?orderDirection=%22%3E%3Cscript%3Ealert(1)%3B%3C/script%3E. By luring an authenticated administrator to visit this URL, the attacker achieves arbitrary JavaScript execution in the victim's browser [4]. No special privileges are required for the attacker beyond the ability to deliver the crafted link.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the admin's session. This can lead to session hijacking, theft of sensitive data, defacement, or further compromise of the Microweber instance [1]. The attack targets the admin panel, which typically has elevated privileges.
Mitigation
The vulnerability has been patched in Microweber version 2.0.20. Users are strongly advised to upgrade immediately. The commit history shows that the fix also includes additional sanitization improvements for other parameters [3]. No workarounds are available for unpatched versions.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
microweber/microweberPackagist | < 2.0.20 | 2.0.20 |
Affected products
2- Microweber/Microweberdescription
- Range: <=2.0.19
Patches
17 files changed · +33 −7
src/MicroweberPackages/Order/Http/Controllers/Admin/AbandonedOrderController.php+9 −0 modified@@ -19,11 +19,20 @@ public function abandoned(Request $request) $orderDirection = $request->get('orderDirection', 'desc'); $priceBetween = $request->get('priceBetween', false); + + + + $keyword = $request->get('keyword', ''); if (!empty($keyword)) { $filteringResults = true; } + $orderBy = xss_clean($orderBy); + $orderDirection = xss_clean($orderDirection); + $priceBetween = xss_clean($priceBetween); + $keyword = xss_clean($keyword); + $orders = Cart::filter($request->all()) ->where('order_completed', '=', '0') ->groupBy('session_id')
src/MicroweberPackages/Security/HtmlSanitizer/MwHtmlSanitizerReference.php+1 −0 modified@@ -618,6 +618,7 @@ class MwHtmlSanitizerReference 'onwebkitanimationiteration', 'onwebkitanimationstart', 'onwebkittransitionend', + 'oncontentvisibilityautostatechange', 'onwheel', ];
userfiles/modules/categories/edit_category.php+1 −3 modified@@ -51,7 +51,7 @@ } if (isset($_GET['rel_id'])) { - $data['rel_id'] = $_GET['rel_id']; + $data['rel_id'] = xss_clean($_GET['rel_id']); } if (isset($params['parent_page_id'])) { @@ -99,8 +99,6 @@ } } - - ?> <style>
userfiles/modules/content/controllers/Edit.php+2 −1 modified@@ -71,6 +71,7 @@ function index($params) } + // if (isset($params['is_shop'])) { // if (trim($params['is_shop']) == 'y') { // $params['is_shop'] = 1; @@ -118,7 +119,7 @@ function index($params) $recommended_parent = false; - if (isset($params['recommended_parent']) and $params['recommended_parent'] != false) { + if (isset($params['recommended_parent']) and $params['recommended_parent']) { $recommended_parent = $params['recommended_parent']; } elseif (isset($params['parent']) and $params['parent'] != false) { $recommended_parent = $params['parent'];
userfiles/modules/content/views/edit_default.php+2 −2 modified@@ -34,8 +34,8 @@ //dump($data); if (isset($data['content_type']) and ($data['content_type'] == 'page') and $data['id'] == 0) { if (isset($_GET['layout'])) { - $data['layout_file'] = (string)$_GET['layout']; - $data['preview_layout_file'] = (string)$_GET['layout']; + $data['layout_file'] = xss_clean($_GET['layout']); + $data['preview_layout_file'] = xss_clean($_GET['layout']); $layout_details_for_new_page = app()->layouts_manager->get_layout_details([
userfiles/modules/settings/admin.php+1 −0 modified@@ -18,6 +18,7 @@ } else if (isset($_GET['option_group'])) { $show_group = $_GET['option_group']; } +$show_group = xss_clean($show_group); ?> <script type="text/javascript">
userfiles/modules/settings/group/website_group/index.php+17 −1 modified@@ -11,7 +11,6 @@ if (isset($_GET['group']) and $_GET['group']) { $group = $_GET['group']; - if ($group == 'general') { $show_inner = 'settings/group/website'; } elseif ($group == 'updates') { @@ -38,10 +37,27 @@ $show_inner = false; $show_inner = $group; } + + } + + + + + + + ?> <?php if ($show_inner): ?> +<?php + + $show_inner = xss_clean($show_inner); + + ?> + + + <module type="admin/modules/info" back_button_url="settings" />
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.