Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-70792

CVE-2025-70792: Microweber CMS XSS Vulnerability

CVE-2025-70792 is a Cross Site Scripting flaw in Microweber 2.0.19 that allows attackers to execute malicious JavaScript by manipulating the rel_id parameter. This article covers technical details, impact, and mitigations.

Published:

CVE-2025-70792 Overview

A Cross-Site Scripting (XSS) vulnerability exists in the /admin/category/create endpoint of Microweber CMS version 2.0.19. An attacker can manipulate the rel_id parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. This reflected XSS vulnerability requires user interaction but can lead to session hijacking, credential theft, or unauthorized administrative actions when successfully exploited against authenticated administrators.

Critical Impact

Attackers can execute arbitrary JavaScript in the context of an authenticated administrator's browser session, potentially leading to full administrative account compromise, data exfiltration, or malicious content injection.

Affected Products

  • Microweber CMS version 2.0.19
  • Microweber CMS versions prior to 2.0.20

Discovery Timeline

  • 2026-02-05 - CVE CVE-2025-70792 published to NVD
  • 2026-02-05 - Last updated in NVD database

Technical Details for CVE-2025-70792

Vulnerability Analysis

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in the administrative category creation functionality where user-supplied input through the rel_id parameter is not properly sanitized before being rendered in the response. When an authenticated administrator clicks a malicious link containing a crafted payload, the injected JavaScript executes within their browser context with full access to the administrative session.

The attack requires network access and user interaction, but does not require prior authentication for the attacker. The scope is changed, meaning the vulnerable component and impacted component are different—the vulnerability exists in Microweber's input handling, but the impact occurs in the user's browser. This results in potential compromise of session confidentiality and integrity without affecting system availability.

Root Cause

The root cause of this vulnerability is insufficient input sanitization in the administrative endpoint. The rel_id parameter and other user-controlled inputs were being passed directly to the application without proper XSS filtering. The Microweber development team addressed this by implementing the xss_clean() function across multiple input parameters and enhancing the HTML sanitizer to block additional event handlers including oncontentvisibilityautostatechange.

Attack Vector

The attack vector is network-based, requiring an attacker to craft a malicious URL targeting the /admin/category/create endpoint with a payload injected into the rel_id parameter. The attacker must then convince an administrator to visit the crafted URL through social engineering techniques such as phishing emails, malicious links in comments, or other methods. Upon visiting the link while authenticated, the victim's browser executes the injected JavaScript code, enabling the attacker to steal session cookies, perform actions on behalf of the administrator, or redirect users to malicious sites.

The security patch demonstrates how Microweber addressed the vulnerability by implementing proper input sanitization:

php
         $orderDirection = $request->get('orderDirection', 'desc');
         $priceBetween = $request->get('priceBetween', false);
 
+
+
+
+
         $keyword = $request->get('keyword', '');
         if (!empty($keyword)) {
             $filteringResults = true;
         }
 
+        $orderBy = xss_clean($orderBy);
+        $orderDirection = xss_clean($orderDirection);
+        $priceBetween = xss_clean($priceBetween);
+        $keyword = xss_clean($keyword);
+
         $orders = Cart::filter($request->all())
             ->where('order_completed', '=', '0')
             ->groupBy('session_id')

Source: GitHub Commit Details

Additionally, the HTML sanitizer was updated to block new event handlers:

php
         'onwebkitanimationiteration',
         'onwebkitanimationstart',
         'onwebkittransitionend',
+        'oncontentvisibilityautostatechange',
         'onwheel',
     ];

Source: GitHub Commit Details

Detection Methods for CVE-2025-70792

Indicators of Compromise

  • Suspicious HTTP requests to /admin/category/create containing encoded JavaScript payloads in the rel_id parameter
  • Web server logs showing unusual query strings with script tags, event handlers, or JavaScript URI schemes
  • Admin session anomalies such as unexpected administrative actions or configuration changes
  • Browser-based alerts or JavaScript execution warnings in administrative interfaces

Detection Strategies

  • Implement Web Application Firewall (WAF) rules to detect and block XSS payload patterns in URL parameters targeting administrative endpoints
  • Deploy log analysis tools to identify requests containing common XSS indicators such as <script>, javascript:, or HTML event handlers in query parameters
  • Enable Content Security Policy (CSP) violation reporting to detect attempted script injection attacks
  • Monitor for unusual administrative activity patterns that may indicate compromised sessions

Monitoring Recommendations

  • Configure real-time alerting for requests to /admin/category/create with suspicious parameter values
  • Implement security information and event management (SIEM) rules to correlate potential XSS attempts with administrative session activity
  • Review web server access logs regularly for patterns indicative of reflected XSS exploitation attempts
  • Enable verbose logging on Microweber administrative endpoints to capture detailed request information

How to Mitigate CVE-2025-70792

Immediate Actions Required

  • Upgrade Microweber CMS to version 2.0.20 or later immediately to apply the security fix
  • Review administrative access logs for any suspicious activity that may indicate prior exploitation
  • Invalidate and rotate all administrative session tokens as a precautionary measure
  • Implement a Web Application Firewall with XSS protection rules as an additional defense layer

Patch Information

The vulnerability was fixed in Microweber version 2.0.20. The patch implements the xss_clean() function to sanitize user input parameters including orderBy, orderDirection, priceBetween, and keyword before processing. Additionally, the HTML sanitizer reference was updated to include the oncontentvisibilityautostatechange event handler in the blocklist to prevent bypass attempts using newer browser event handlers.

The fix is available in commit aa0791fc286d785ccd33ccc706f7bb3ed05b1d7f.

Workarounds

  • If immediate patching is not possible, restrict access to administrative endpoints using IP allowlisting or VPN requirements
  • Implement strict Content Security Policy headers to mitigate the impact of XSS attacks by preventing inline script execution
  • Deploy a WAF or reverse proxy with XSS filtering capabilities to inspect and sanitize incoming requests
  • Train administrators to verify URLs before clicking and to avoid accessing administrative interfaces through external links
bash
# Example Content Security Policy header configuration for Apache
# Add to .htaccess or virtual host configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';"

# Example for Nginx
# Add to server block configuration
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';";

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.