Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Liferay DXP Use of Default Password Vulnerability (CVE-2025-43799)

Description

Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has changed their initial password, which allows remote users to access and edit content via the API.

Remediation

References

Related Vulnerabilities

WordPress Plugin WooCommerce Product Vendors Cross-Site Scripting (2.0.35)

MyBB Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-29458)

Liferay DXP Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2022-42129)

WordPress 4.4.x Multiple Vulnerabilities (4.4 - 4.4.29)

WordPress Plugin Calendar Event Multi View Unspecified Vulnerability (1.3.58)

Severity

Medium

Classification

CVE-2025-43799 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities