CVE-2025-70791 — MEDIUM (6.1)

Vulnerability Description

Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Microweber	Microweber	2.0.19

Related Weaknesses (CWE)

CWE-79

References

https://gist.github.com/TimRecktenwald/9615b9915a4cacda9f57bb57f13ab6d4ExploitThird Party Advisory
https://github.com/microweber/microweber/commit/aa0791fc286d785ccd33ccc706f7bb3ePatch

FAQ

What is CVE-2025-70791?

CVE-2025-70791 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin ...

How severe is CVE-2025-70791?

CVE-2025-70791 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-70791?

Check the references section above for vendor advisories and patch information. Affected products include: Microweber Microweber.