CVE-2025-4760

MEDIUM

WSO2 API Control Plane and API Manager - Authenticated Stored Cross-Site Scripting via API Document Upload

Title source: llm
STIX 2.1

Description

An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users. A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.

References (1)

Core 1

Scores

CVSS v3 4.8
EPSS 0.0017
EPSS Percentile 7.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (12)
org.wso2.carbon.apimgt/org.wso2.carbon.apimgt.api 0 - 9.31.117Maven
org.wso2.carbon.apimgt/org.wso2.carbon.apimgt.rest.api.publisher.v1 0 - 9.31.117Maven
wso2/api_control_plane 4.5.0
wso2/api_manager 3.2.0
wso2/api_manager 3.2.1
wso2/api_manager 4.1.0
wso2/api_manager 4.2.0
wso2/api_manager 4.3.0
wso2/api_manager 4.4.0
wso2/api_manager 4.5.0
... and 2 more
Published Sep 23, 2025
Tracked Since Feb 18, 2026