CVE-2025-4760
MEDIUMWSO2 API Control Plane and API Manager - Authenticated Stored Cross-Site Scripting via API Document Upload
Title source: llmDescription
An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users. A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4104/
Scores
CVSS v3
4.8
EPSS
0.0017
EPSS Percentile
7.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (12)
org.wso2.carbon.apimgt/org.wso2.carbon.apimgt.api
0 - 9.31.117Maven
org.wso2.carbon.apimgt/org.wso2.carbon.apimgt.rest.api.publisher.v1
0 - 9.31.117Maven
wso2/api_control_plane
4.5.0
wso2/api_manager
3.2.0
wso2/api_manager
3.2.1
wso2/api_manager
4.1.0
wso2/api_manager
4.2.0
wso2/api_manager
4.3.0
wso2/api_manager
4.4.0
wso2/api_manager
4.5.0
... and 2 more
Published
Sep 23, 2025
Tracked Since
Feb 18, 2026