Stored Cross-Site Scripting Vulnerability in Multiple WSO2 Products
CVE-2025-4760

4.8MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Api Manager; Wso2 Api Control Plane; Wso2 Universal Gateway; Wso2 Traffic Manager
Vendor: CVE Published:; 23 September 2025

What is CVE-2025-4760?

An authenticated stored cross-site scripting vulnerability is present in various WSO2 products. This flaw arises from inadequate validation of user inputs during API document uploads in the Publisher portal. A user with publishing permissions could exploit this vulnerability by uploading a crafted API document that includes malicious JavaScript. The malicious script could execute when other users access the affected content, potentially leading to unauthorized redirection to harmful websites, unintended modifications of the user interface, or the compromise of browser-accessible data. Nonetheless, sensitive cookies related to user sessions remain secured by the httpOnly flag, thereby mitigating session hijacking risks.

Affected Version(s)

WSO2 API Control Plane 4.5.0 < 4.5.0.8

WSO2 API Manager 3.2.0 < 3.2.0.428

WSO2 API Manager 3.2.1 < 3.2.1.48

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 23, 2025
Vulnerability Reserved
May 15, 2025

Credit

Phạm Hồ Anh Dũng

JSON