Reflected Cross-Site Scripting (3x XSS) in Multiple WSO2 Products

Three distinct reflected cross-site scripting vulnerabilities exist in the management console of multiple WSO2 products, grouped under a single CVE. In each case, user-controlled input is reflected into the HTML response without sanitisation. The affected endpoints are:

• subscription-email-verification.jsp
• mex_add_ajaxprocessor.jsp
• xml_resource_visualizer_ajaxprocessor.jsp

If a server administrator follows a malicious link, the injected JavaScript executes in the context of the management console session. From there, the attacker can invoke SOAP admin services (CVE-2025-10907) to achieve one-click remote code execution on the underlying server.

This vulnerability was responsibly disclosed and has been patched by the vendor.

Affected products

• WSO2 API Control Plane 4.5.0
• WSO2 API Manager 3.1.0 - 4.5.0
• WSO2 Enterprise Integrator 6.6.0
• WSO2 Identity Server 5.10.0 - 7.1.0
• WSO2 Identity Server as Key Manager 5.10.0
• WSO2 Open Banking AM 2.0.0
• WSO2 Open Banking IAM 2.0.0
• WSO2 Traffic Manager 4.5.0
• WSO2 Universal Gateway 4.5.0

See also

• WSO2: Security Advisory WSO2-2025-4486/CVE-2025-10853