CVE-2025-51501 Scanner

Microweber CMS2.0 is a website content management system used globally by developers and businesses to create and manage dynamic websites with ease. It is popular among users who require a flexible and user-friendly interface to build and customize their online presence. Microweber allows for the integration of various modules and extensions, making it a customizable option for both small and large-scale projects. It targets a wide range of users, from novice developers to experienced web design companies, interested in the substantial design freedom alongside its e-commerce capabilities. Its strength lies in offering a wide array of pre-built themes and drag-and-drop functionality, simplifying website creation. The utilization of it for creating e-commerce platforms and blogs owing to its seamless integration and intuitive management options is widespread.

The scanner detects Cross-Site Scripting (XSS) vulnerabilities within Microweber CMS2.0, a critical security flaw that can lead to unauthorized script execution in the context of a user's browser. This type of vulnerability usually targets the 'id' parameter in the API `live_edit.module_settings`, potentially allowing attackers to inject and execute malicious scripts. XSS vulnerabilities pose a significant risk, as they can facilitate session hijacking, defacement of web content, and redirection to malicious sites. Once exploited, these vulnerabilities can also be used to steal cookies and other sensitive information, compromising the integrity and confidentiality of user data. The detection of such vulnerabilities is crucial in maintaining the security and trustworthiness of web platforms.

The vulnerability exploited involves the 'id' parameter of the `live_edit.module_settings` API endpoint, where user inputs are not adequately sanitized. A successful exploit involves making a GET request to this endpoint with the malicious code embedded in the 'id' parameter. The output returned from the server reflects this script back into the user's browser under certain conditions, particularly when the server returns a 200 status code and content-type of "text/html". This specific endpoint is particularly vulnerable as it lacks proper input validation, allowing the execution of JavaScript in the user's browser. The injected script '' serves as a demonstration of the potential for arbitrary script execution.

If exploited, Cross-Site Scripting (XSS) vulnerabilities can have far-reaching consequences for both users and administrators of the Microweber CMS2.0 platform. Attackers may gain unauthorized access to sensitive user data, perform unauthorized actions on behalf of users, or deploy further attacks leveraging the affected user's credentials. This could lead to a significant breach of privacy or loss of data integrity, leading to identity theft and reputational damage for affected organizations. Furthermore, infected pages may propagate malware to visiting users or be manipulated to deceive users into surrendering sensitive information in phishing attacks.

REFERENCES

• https://github.com/progprnv/CVE-Reports/blob/main/CVE-2025-51501
• https://nvd.nist.gov/vuln/detail/CVE-2025-51501