CVE-2025-51502: 
PHP vulnerability analysis and mitigation

Reflected Cross-Site Scripting (XSS) vulnerability has been identified in Microweber CMS version 2.0, specifically affecting the layout parameter on the /admin/page/create page. This vulnerability was discovered and published to the CVE List on August 1, 2025, and allows arbitrary JavaScript execution when exploited against authenticated admin users (NVD Database).

The vulnerability is classified as a CWE-79 type (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-site Scripting. The CVSS v3.1 base score is 6.1 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction (NVD Database).

When successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of authenticated admin users. This could potentially lead to unauthorized actions being performed with administrative privileges, theft of sensitive information, or manipulation of admin panel content (NVD Database).

The vulnerability was reported and included in the NVD dataset as of August 1, 2025. While specific patch information is not provided in the available sources, administrators should monitor for updates from Microweber CMS and apply any security patches as soon as they become available (NVD Database).