CVE-2025-70792 Overview
A Cross-Site Scripting (XSS) vulnerability exists in the /admin/category/create endpoint of Microweber CMS version 2.0.19. An attacker can manipulate the rel_id parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. This reflected XSS vulnerability requires user interaction but can lead to session hijacking, credential theft, or unauthorized administrative actions when successfully exploited against authenticated administrators.
Critical Impact
Attackers can execute arbitrary JavaScript in the context of an authenticated administrator's browser session, potentially leading to full administrative account compromise, data exfiltration, or malicious content injection.
Affected Products
- Microweber CMS version 2.0.19
- Microweber CMS versions prior to 2.0.20
Discovery Timeline
- 2026-02-05 - CVE CVE-2025-70792 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2025-70792
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in the administrative category creation functionality where user-supplied input through the rel_id parameter is not properly sanitized before being rendered in the response. When an authenticated administrator clicks a malicious link containing a crafted payload, the injected JavaScript executes within their browser context with full access to the administrative session.
The attack requires network access and user interaction, but does not require prior authentication for the attacker. The scope is changed, meaning the vulnerable component and impacted component are different—the vulnerability exists in Microweber's input handling, but the impact occurs in the user's browser. This results in potential compromise of session confidentiality and integrity without affecting system availability.
Root Cause
The root cause of this vulnerability is insufficient input sanitization in the administrative endpoint. The rel_id parameter and other user-controlled inputs were being passed directly to the application without proper XSS filtering. The Microweber development team addressed this by implementing the xss_clean() function across multiple input parameters and enhancing the HTML sanitizer to block additional event handlers including oncontentvisibilityautostatechange.
Attack Vector
The attack vector is network-based, requiring an attacker to craft a malicious URL targeting the /admin/category/create endpoint with a payload injected into the rel_id parameter. The attacker must then convince an administrator to visit the crafted URL through social engineering techniques such as phishing emails, malicious links in comments, or other methods. Upon visiting the link while authenticated, the victim's browser executes the injected JavaScript code, enabling the attacker to steal session cookies, perform actions on behalf of the administrator, or redirect users to malicious sites.
The security patch demonstrates how Microweber addressed the vulnerability by implementing proper input sanitization:
$orderDirection = $request->get('orderDirection', 'desc');
$priceBetween = $request->get('priceBetween', false);
+
+
+
+
$keyword = $request->get('keyword', '');
if (!empty($keyword)) {
$filteringResults = true;
}
+ $orderBy = xss_clean($orderBy);
+ $orderDirection = xss_clean($orderDirection);
+ $priceBetween = xss_clean($priceBetween);
+ $keyword = xss_clean($keyword);
+
$orders = Cart::filter($request->all())
->where('order_completed', '=', '0')
->groupBy('session_id')
Source: GitHub Commit Details
Additionally, the HTML sanitizer was updated to block new event handlers:
'onwebkitanimationiteration',
'onwebkitanimationstart',
'onwebkittransitionend',
+ 'oncontentvisibilityautostatechange',
'onwheel',
];
Source: GitHub Commit Details
Detection Methods for CVE-2025-70792
Indicators of Compromise
- Suspicious HTTP requests to /admin/category/create containing encoded JavaScript payloads in the rel_id parameter
- Web server logs showing unusual query strings with script tags, event handlers, or JavaScript URI schemes
- Admin session anomalies such as unexpected administrative actions or configuration changes
- Browser-based alerts or JavaScript execution warnings in administrative interfaces
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block XSS payload patterns in URL parameters targeting administrative endpoints
- Deploy log analysis tools to identify requests containing common XSS indicators such as <script>, javascript:, or HTML event handlers in query parameters
- Enable Content Security Policy (CSP) violation reporting to detect attempted script injection attacks
- Monitor for unusual administrative activity patterns that may indicate compromised sessions
Monitoring Recommendations
- Configure real-time alerting for requests to /admin/category/create with suspicious parameter values
- Implement security information and event management (SIEM) rules to correlate potential XSS attempts with administrative session activity
- Review web server access logs regularly for patterns indicative of reflected XSS exploitation attempts
- Enable verbose logging on Microweber administrative endpoints to capture detailed request information
How to Mitigate CVE-2025-70792
Immediate Actions Required
- Upgrade Microweber CMS to version 2.0.20 or later immediately to apply the security fix
- Review administrative access logs for any suspicious activity that may indicate prior exploitation
- Invalidate and rotate all administrative session tokens as a precautionary measure
- Implement a Web Application Firewall with XSS protection rules as an additional defense layer
Patch Information
The vulnerability was fixed in Microweber version 2.0.20. The patch implements the xss_clean() function to sanitize user input parameters including orderBy, orderDirection, priceBetween, and keyword before processing. Additionally, the HTML sanitizer reference was updated to include the oncontentvisibilityautostatechange event handler in the blocklist to prevent bypass attempts using newer browser event handlers.
The fix is available in commit aa0791fc286d785ccd33ccc706f7bb3ed05b1d7f.
Workarounds
- If immediate patching is not possible, restrict access to administrative endpoints using IP allowlisting or VPN requirements
- Implement strict Content Security Policy headers to mitigate the impact of XSS attacks by preventing inline script execution
- Deploy a WAF or reverse proxy with XSS filtering capabilities to inspect and sanitize incoming requests
- Train administrators to verify URLs before clicking and to avoid accessing administrative interfaces through external links
# Example Content Security Policy header configuration for Apache
# Add to .htaccess or virtual host configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';"
# Example for Nginx
# Add to server block configuration
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
