CVE-2024-58289

MEDIUM

Microweber - XSS

Title source: rule

Description

Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into user profile fields. Attackers can input script payloads in the first name field that will execute when the profile is viewed by other users, potentially stealing session cookies and executing arbitrary JavaScript.

Exploits (1)

exploitdb WORKING POC

by tmrswrr · textwebappsphp

https://www.exploit-db.com/exploits/52058

View Code ZIP pw:eip

References (4)

[Product] https://github.com/microweber/microweber

[Broken Link] https://microweber.me/

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/52058

[Third Party Advisory] https://www.vulncheck.com/advisories/microweber-stored-cross-site-scripting-via-user-profile-fields

Scores

CVSS v3 5.4

EPSS 0.0007

EPSS Percentile 20.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

microweber/microweber 2.0.15

microweber/Microweber 2.0.15

Published Dec 11, 2025

Tracked Since Feb 18, 2026