CVE-2025-70792
Description
Cross Site Scripting vulnerability in the "/admin/category/create" endpoint of Microweber 2.0.19. An attacker can manipulate the "rel_id" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Microweber 2.0.19's /admin/category/create endpoint via the rel_id parameter, fixed in 2.0.20.
Vulnerability
CVE-2025-70792 describes a Cross-Site Scripting (XSS) vulnerability in Microweber 2.0.19, specifically in the /admin/category/create endpoint. The flaw originates from insufficient sanitization of the rel_id parameter, allowing an attacker to inject arbitrary JavaScript code. The official fix, visible in commit [aa0791f][3], applies the xss_clean() function to the rel_id parameter before it is processed, effectively neutralizing the injection vector.
Exploitation
To exploit the vulnerability, an attacker crafts a URL containing malicious JavaScript in the rel_id parameter. The provided proof-of-concept [4] demonstrates a simple payload: rel_id=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E. An attacker must lure a user with administrative privileges into visiting this crafted URL. No authentication is needed to trigger the stored XSS once the admin visits the page, as the injected script executes in the context of the victim's session.
Impact
Successful exploitation enables an attacker to execute arbitrary JavaScript in the browser of an authenticated administrator. This could lead to session hijacking, defacement of the admin panel, or theft of sensitive data. The vulnerability is classified as a stored XSS because the malicious script can be persisted and executed when other administrators access the affected category creation page.
Mitigation
Microweber addressed the issue in version 2.0.20. Users should upgrade immediately to this patched release [1][2]. The commit history shows multiple parameters were also sanitized in related controllers, indicating a broader security hardening effort [3]. No workarounds are provided for older versions; upgrading is the only recommended course of action.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
microweber/microweberPackagist | < 2.0.20 | 2.0.20 |
Affected products
2- Microweber/Microweberdescription
- Range: <=2.0.19
Patches
17 files changed · +33 −7
src/MicroweberPackages/Order/Http/Controllers/Admin/AbandonedOrderController.php+9 −0 modified@@ -19,11 +19,20 @@ public function abandoned(Request $request) $orderDirection = $request->get('orderDirection', 'desc'); $priceBetween = $request->get('priceBetween', false); + + + + $keyword = $request->get('keyword', ''); if (!empty($keyword)) { $filteringResults = true; } + $orderBy = xss_clean($orderBy); + $orderDirection = xss_clean($orderDirection); + $priceBetween = xss_clean($priceBetween); + $keyword = xss_clean($keyword); + $orders = Cart::filter($request->all()) ->where('order_completed', '=', '0') ->groupBy('session_id')
src/MicroweberPackages/Security/HtmlSanitizer/MwHtmlSanitizerReference.php+1 −0 modified@@ -618,6 +618,7 @@ class MwHtmlSanitizerReference 'onwebkitanimationiteration', 'onwebkitanimationstart', 'onwebkittransitionend', + 'oncontentvisibilityautostatechange', 'onwheel', ];
userfiles/modules/categories/edit_category.php+1 −3 modified@@ -51,7 +51,7 @@ } if (isset($_GET['rel_id'])) { - $data['rel_id'] = $_GET['rel_id']; + $data['rel_id'] = xss_clean($_GET['rel_id']); } if (isset($params['parent_page_id'])) { @@ -99,8 +99,6 @@ } } - - ?> <style>
userfiles/modules/content/controllers/Edit.php+2 −1 modified@@ -71,6 +71,7 @@ function index($params) } + // if (isset($params['is_shop'])) { // if (trim($params['is_shop']) == 'y') { // $params['is_shop'] = 1; @@ -118,7 +119,7 @@ function index($params) $recommended_parent = false; - if (isset($params['recommended_parent']) and $params['recommended_parent'] != false) { + if (isset($params['recommended_parent']) and $params['recommended_parent']) { $recommended_parent = $params['recommended_parent']; } elseif (isset($params['parent']) and $params['parent'] != false) { $recommended_parent = $params['parent'];
userfiles/modules/content/views/edit_default.php+2 −2 modified@@ -34,8 +34,8 @@ //dump($data); if (isset($data['content_type']) and ($data['content_type'] == 'page') and $data['id'] == 0) { if (isset($_GET['layout'])) { - $data['layout_file'] = (string)$_GET['layout']; - $data['preview_layout_file'] = (string)$_GET['layout']; + $data['layout_file'] = xss_clean($_GET['layout']); + $data['preview_layout_file'] = xss_clean($_GET['layout']); $layout_details_for_new_page = app()->layouts_manager->get_layout_details([
userfiles/modules/settings/admin.php+1 −0 modified@@ -18,6 +18,7 @@ } else if (isset($_GET['option_group'])) { $show_group = $_GET['option_group']; } +$show_group = xss_clean($show_group); ?> <script type="text/javascript">
userfiles/modules/settings/group/website_group/index.php+17 −1 modified@@ -11,7 +11,6 @@ if (isset($_GET['group']) and $_GET['group']) { $group = $_GET['group']; - if ($group == 'general') { $show_inner = 'settings/group/website'; } elseif ($group == 'updates') { @@ -38,10 +37,27 @@ $show_inner = false; $show_inner = $group; } + + } + + + + + + + ?> <?php if ($show_inner): ?> +<?php + + $show_inner = xss_clean($show_inner); + + ?> + + + <module type="admin/modules/info" back_button_url="settings" />
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.