CVE-2025-2214: Microweber vulnerable to XSS attack due to insure `group` component in its Settings handler

March 12, 2025 (updated July 9, 2025)

A vulnerability was found in Microweber 2.0.19. It has been rated as problematic. This issue affects some unknown processing of the file userfiles/modules/settings/group/website_group/index.php of the component Settings Handler. The manipulation of the argument group leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

github.com/Fewword/Poc/blob/main/microweber/mwb-poc1.md
github.com/advisories/GHSA-hcgh-r5gq-6qc2
github.com/microweber/microweber
nvd.nist.gov/vuln/detail/CVE-2025-2214
vuldb.com/?ctiid.299285
vuldb.com/?id.299285
vuldb.com/?submit.512032

Code Behaviors & Features

Detect and mitigate CVE-2025-2214 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →