A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary JavaScript code using a <script> element. The injected payload is stored in the database and subsequently rendered in the Administration panel's "Comments" section when administrators review submitted comments. Importantly, the malicious script is not reflected in the public-facing comments interface, but only within the backend administration view. Alternatively, users of Administrator, Moderator, Manager roles can also directly input crafted payloads into existing comments. This makes the vulnerability a persistent XSS issue targeting administrative users. This affects /core/admin/comments.php, while CVE-2022-24585 affects /core/admin/comment.php, a uniquely distinct vulnerability.
CVSS Score
6.1
EPSS Score
0.0
Published
2026-03-10
If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be automatically recognized for articles, such that an automated script is able to solve this anti-spam mechanism trivially and publish spam comments. The details of captcha challenge are exposed within document body of articles with comments & anti spam-captcha functionalities enabled, including "capcha-letter", "capcha-word" and "capcha-token" which can be used to construct a valid post request to publish a comment. As such, attackers can flood articles with automated spam comments, especially if there are no other web defenses available.
CVSS Score
5.3
EPSS Score
0.0
Published
2026-03-10
A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was informed early about this issue and announced that "[w]e fix this issue in the next version 5.8.23". A patch for it is ready.
CVSS Score
5.1
EPSS Score
0.001
Published
2026-01-02
Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages.
CVSS Score
8.8
EPSS Score
0.027
Published
2022-03-01
A cross-site scripting (XSS) vulnerability in Pluxml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the thumbnail path of a blog post.
CVSS Score
5.4
EPSS Score
0.01
Published
2022-03-01
A stored cross-site scripting (XSS) vulnerability in the component /core/admin/comment.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the author parameter.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-02-15
A stored cross-site scripting (XSS) vulnerability in the component core/admin/medias.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-02-15
A stored cross-site scripting (XSS) vulnerability in the component /core/admin/categories.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content and thumbnail parameters.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-02-15
PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content.
CVSS Score
4.8
EPSS Score
0.005
Published
2021-08-12
PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Information field.
CVSS Score
4.8
EPSS Score
0.008
Published
2021-08-12
Page 1