Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Liferay DXP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2025-4604)

Description

The vulnerable code can bypass the Captcha check in Liferay Portal 7.4.3.80 through 7.4.3.132, and Liferay DXP 2024.Q1.1 through 2024.Q1.19, 2024.Q2.0 through 2024.Q2.13, 2024.Q3.0 through 2024.Q3.13, 2024.Q4.0 through 2024.Q4.7, 2025.Q1.0 through 2025.Q1.15 and 7.4 update 80 through update 92 and then attackers can run scripts in the Gogo shell

Remediation

References

Related Vulnerabilities

WordPress 5.0 Multiple Vulnerabilities (5.0)

WordPress 3.9.x Multiple Vulnerabilities (3.9 - 3.9.13)

WordPress 4.3.x Denial of Service Vulnerability (4.3 - 4.3.15)

Django Improper Output Neutralization for Logs Vulnerability (CVE-2025-48432)

WordPress Plugin WP iCommerce-the first interactive ecommerce for wordpress SQL Injection (1.1.1)

Severity

Medium

Classification

CVE-2025-4604 CWE-707 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities