VYPR
Vendor

Pluxml

Products
1
CVEs
25
Across products
25
Status
Private

Products

1

Recent CVEs

25
View all 25 CVEs →
  • CVE-2026-24352CriFeb 27, 2026
    risk 0.64cvss 9.8epss 0.00

    PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was…

  • CVE-2024-48138CriOct 29, 2024
    risk 0.64cvss 9.8epss 0.01

    A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted payload into a template.

  • CVE-2025-57567CriOct 17, 2025
    risk 0.59cvss 9.1epss 0.01

    A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code…

  • CVE-2025-70128MedMar 10, 2026
    risk 0.40cvss 6.1epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary…

  • CVE-2026-24351MedFeb 27, 2026
    risk 0.35cvss 5.4epss 0.00

    PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. The vendor was notified early about this vulnerability, but…

  • CVE-2026-24350MedFeb 27, 2026
    risk 0.35cvss 5.4epss 0.00

    PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authenticated attacker can upload an SVG file containing a malicious payload, which will be executed when a victim clicks the link associated with the uploaded image. In version 5.9.0-rc7 clicking the…

  • CVE-2017-1001001MedNov 1, 2017
    risk 0.35cvss 5.4epss 0.01

    PluXml version 5.6 is vulnerable to stored cross-site scripting vulnerability, within the article creation page, which can result in escalation of privileges.

  • CVE-2025-70129MedMar 10, 2026
    risk 0.34cvss 5.3epss 0.00

    If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be automatically recognized for articles, such that an automated script is able to solve this anti-spam mechanism trivially and…

  • CVE-2025-15438MedJan 2, 2026
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deserialization. The attack can be…

  • CVE-2012-2227Aug 26, 2012
    risk 0.04cvss epss 0.10

    Directory traversal vulnerability in update/index.php in PluXml before 5.1.6 allows remote attackers to include and execute arbitrary local files via a ..%2F (encoded dot dot slash) in the default_lang parameter.

  • CVE-2007-3432Jun 27, 2007
    risk 0.04cvss epss 0.08

    Unrestricted file upload vulnerability in admin/images.php in Pluxml 0.3.1 allows remote attackers to upload and execute arbitrary PHP code via a .jpg filename.

  • CVE-2007-3542Jul 3, 2007
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in admin/auth.php in Pluxml 0.3.1 allows remote attackers to inject arbitrary web script or HTML via the msg parameter.

  • CVE-2025-67436Dec 22, 2025
    risk 0.00cvss epss 0.01

    Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inject a malicious PHP webshell into a theme file (e.g., home.php).

  • CVE-2024-22636Jan 25, 2024
    risk 0.00cvss epss 0.01

    PluXml Blog v5.8.9 was discovered to contain a remote code execution (RCE) vulnerability in the Static Pages feature. This vulnerability is exploited via injecting a crafted payload into the Content field.

  • CVE-2022-25020Mar 1, 2022
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in Pluxml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the thumbnail path of a blog post.

  • CVE-2022-25018Mar 1, 2022
    risk 0.00cvss epss 0.03

    Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages.

  • CVE-2022-24587Feb 15, 2022
    risk 0.00cvss epss 0.01

    A stored cross-site scripting (XSS) vulnerability in the component core/admin/medias.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML.

  • CVE-2022-24585Feb 15, 2022
    risk 0.00cvss epss 0.01

    A stored cross-site scripting (XSS) vulnerability in the component /core/admin/comment.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the author parameter.

  • CVE-2022-24586Feb 15, 2022
    risk 0.00cvss epss 0.01

    A stored cross-site scripting (XSS) vulnerability in the component /core/admin/categories.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content and thumbnail parameters.

  • CVE-2021-38603Aug 12, 2021
    risk 0.00cvss epss 0.01

    PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Information field.