CVE-2025-51504 is a Cross Site Scripting (XSS) vulnerability identified in Microweber CMS version 2.0. The vulnerability exists in the /projects/profile homepage endpoint, specifically via the last name field. This means that an attacker can inject malicious scripts into the last name input field, which are then improperly sanitized or escaped by the application. When other users or administrators view the affected page, the malicious script executes in their browsers. This type of vulnerability can be exploited to steal session cookies, perform actions on behalf of authenticated users, or deliver malware. Although the affected versions are not explicitly detailed beyond Microweber CMS 2.0, the lack of patch links or known exploits in the wild indicates that this vulnerability is newly disclosed and may not yet be widely exploited. The absence of a CVSS score suggests that the vulnerability has not been fully assessed for severity, but the technical nature of reflected or stored XSS in a CMS platform is well understood in cybersecurity. Since the vulnerability is in a CMS, which is often used to manage website content, the attack surface includes website administrators and visitors who interact with the profile pages. The vulnerability requires user interaction in the form of visiting a maliciously crafted page or profile, but does not require authentication to inject the payload, though exploitation impact is higher if administrators are targeted. The vulnerability is published and reserved recently, indicating it is a current threat that should be addressed promptly.

For European organizations using Microweber CMS 2.0, this XSS vulnerability poses risks to the confidentiality and integrity of user sessions and data. Attackers could hijack administrator sessions, leading to unauthorized content changes, defacement, or further compromise of the CMS environment. This could result in reputational damage, data breaches involving personal or sensitive information, and potential compliance violations under GDPR if personal data is exposed or manipulated. Additionally, attackers could use the vulnerability to deliver malware to site visitors, potentially impacting customers or partners. The impact is particularly significant for organizations that rely on Microweber CMS for public-facing websites or internal portals, as successful exploitation could disrupt business operations and erode trust. Given the lack of known exploits in the wild, the immediate risk may be moderate, but the vulnerability should be treated seriously due to the common exploitation of XSS flaws in web applications.

Organizations should immediately review and sanitize all user input fields, especially the last name field in the /projects/profile endpoint, to ensure proper encoding and escaping of special characters to prevent script injection. Applying input validation both on client and server sides is critical. Since no official patches are currently linked, organizations should monitor Microweber’s official channels for security updates or patches addressing this vulnerability. As a temporary mitigation, implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the affected endpoint can reduce risk. Additionally, enforcing Content Security Policy (CSP) headers can limit the execution of unauthorized scripts in browsers. Organizations should audit their CMS installations to identify if they are running vulnerable versions and consider upgrading to newer, patched versions once available. User education about phishing and suspicious links can also help reduce the risk of exploitation via social engineering.