CVE-2024-58289

MEDIUM

Microweber 2.0.15 - Authenticated Stored Cross-Site Scripting via User Profile Fields

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-58289. PoCs published by tmrswrr.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Microweber 2.0.15 by injecting a malicious payload into the 'First Name' field of a user profile, which executes when the profile is displayed.

Description

Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into user profile fields. Attackers can input script payloads in the first name field that will execute when the profile is viewed by other users, potentially stealing session cookies and executing arbitrary JavaScript.

Exploits (1)

exploitdb WORKING POC
by tmrswrr · textwebappsphp
https://www.exploit-db.com/exploits/52058

This exploit demonstrates a stored XSS vulnerability in Microweber 2.0.15 by injecting a malicious payload into the 'First Name' field of a user profile, which executes when the profile is displayed.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Microweber 2.0.15
Auth required
Prerequisites: Valid user credentials · Access to the 'Edit Profile' section
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory, VDB Entry exploit
https://www.exploit-db.com/exploits/52058
Broken Link product
https://microweber.me/

Scores

CVSS v3 5.4
EPSS 0.0004
EPSS Percentile 14.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
microweber/microweber 2.0.15
microweber/Microweber 2.0.15
Published Dec 11, 2025
Tracked Since Feb 18, 2026