CVE-2021-32856: 
PHP vulnerability analysis and mitigation

Microweber, a drag and drop website builder and content management system, was found to contain a copy-paste cross-site scripting (XSS) vulnerability in versions 1.2.12 and prior. The vulnerability, identified as CVE-2021-32856, was discovered where users could be tricked into copying malicious payloads into the text editor. Multiple fix attempts were made in versions 1.2.9 and 1.2.12, but these fixes were determined to be incomplete (GitHub Security Lab).

The vulnerability was identified in the Microweber text editor's copy-paste functionality. The issue was discovered by the GitHub Security Lab team using CodeQL query analysis. The vulnerability allows for cross-site scripting attacks when a user copies and pastes specifically crafted malicious content into the text editor. A fix attempt was implemented through the addition of AntiXSS cleaning functionality, as evidenced in the code commit (GitHub Commit).

The vulnerability could lead to cross-site scripting attacks when successfully exploited, requiring user interaction in the form of copying and pasting malicious content into the text editor (GitHub Security Lab).

Multiple attempts were made to fix the vulnerability. Initial fixes were implemented in versions 1.2.9 and 1.2.12, though these were later found to be incomplete. The first fix attempt was made on September 17, 2021, but was reverted due to breaking features. A subsequent fix was attempted in version 1.2.12 released on March 25, 2022, but was also found to be incomplete (GitHub Security Lab).