CVE-2025-51502: 
PHP vulnerability analysis and mitigation

Reflected Cross-Site Scripting (XSS) vulnerability was discovered in Microweber CMS version 2.0, specifically affecting the layout parameter on the /admin/page/create page. The vulnerability was disclosed on August 1, 2025, and allows arbitrary JavaScript execution in the context of authenticated admin users (NVD).

The vulnerability is classified as a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue. The CVSS v3.1 base score is 6.1 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability is network accessible, requires low attack complexity, needs no privileges, requires user interaction, and has a changed scope with low impact on confidentiality and integrity but no impact on availability (NVD).

When successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of authenticated administrative users. This could potentially lead to unauthorized actions being performed with administrator privileges, theft of sensitive information, or manipulation of admin panel content (NVD).

The vulnerability has been publicly disclosed, but specific mitigation details or patches have not been mentioned in the available sources. Administrators are advised to exercise caution when clicking on links while logged into the admin panel and to validate all input parameters thoroughly (NVD).