CVE-2025-4760
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-23

Last updated on: 2025-11-21

Assigner: WSO2 LLC

Description
An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users. A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-23
Last Modified
2025-11-21
Generated
2026-06-16
AI Q&A
2025-09-23
EPSS Evaluated
2026-06-14
NVD
CVE-2025-4760
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
wso2 api_control_plane 4.5.0
wso2 api_manager 3.2.0
wso2 api_manager 3.2.1
wso2 api_manager 4.1.0
wso2 api_manager 4.2.0
wso2 api_manager 4.3.0
wso2 api_manager 4.4.0
wso2 api_manager 4.5.0
wso2 traffic_manager 4.5.0
wso2 universal_gateway 4.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an authenticated stored cross-site scripting (XSS) issue in multiple WSO2 products. It occurs because user-supplied input during API document upload in the Publisher portal is not properly validated. A user with publisher privileges can upload a malicious API document containing JavaScript code, which is then stored and later executed in the browsers of other users who access that document.

Impact Analysis

A successful attack can lead to redirection of users to malicious websites, unauthorized modifications of the user interface, or exfiltration of data accessible through the browser. However, session hijacking is mitigated because session-related cookies are protected by the httpOnly flag.

Mitigation Strategies

To mitigate this vulnerability, restrict publisher privileges to trusted users only, validate and sanitize all user-supplied input during API document uploads, and monitor for any unusual behavior in the Publisher portal. Additionally, consider applying any available patches or updates from WSO2 addressing this issue once released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-4760. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart