Microweber
Moderate fix1 remedy
cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*
Moderate fix1 remedy
- <= 2.0.19
Microweber Cross-Site Scripting Vulnerability in Abandoned Orders Endpoint
Vulnerability
Patched
A cross-site scripting (XSS) vulnerability has been identified in Microweber version 2.0.19, specifically within the '/admin/order/abandoned' endpoint. The issue arises from the 'orderDirection' parameter, which can be manipulated in a crafted URL. An attacker could lure an admin user to visit this URL, resulting in the execution of JavaScript code in the user's browser.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute malicious scripts in the context of the victim's browser.
Reproduction
To reproduce this vulnerability, first install Microweber version 2.0.19. After setting up the application, navigate to the '/admin/order/abandoned' endpoint and include a crafted 'orderDirection' parameter that contains JavaScript code, such as a script tag with an alert function. When the page is loaded, the JavaScript will execute, demonstrating the cross-site scripting vulnerability.
Remediation
Users can upgrade to Microweber version 2.0.20 or later, where this vulnerability has been fixed.
Added: Feb 5, 2026, 5:26 PM
Updated: Feb 5, 2026, 9:50 PM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
5.4exploitability
7.7remediation
7.7relevance
2.5threat
6.4urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.