CVE-2025-70791
Microweber has a Cross-site Scripting vulnerability
6.1
MEDIUM
CVSS 3.1
EPSS 0.02%
Description
Cross-site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20.
How to fix CVE-2025-70791
To remediate CVE-2025-70791, upgrade the affected package to a fixed version below.
- —upgrade to 2.0.20 or later
Is CVE-2025-70791 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.0.20
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |