Vendor CVEs
Pluxml
All CVEs
25 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-24352 | Cri | 0.64 | 9.8 | 0.00 | Feb 27, 2026 | PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was… | ||
| CVE-2024-48138 | Cri | 0.64 | 9.8 | 0.01 | Oct 29, 2024 | A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted payload into a template. | ||
| CVE-2025-57567 | Cri | 0.59 | 9.1 | 0.01 | Oct 17, 2025 | A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code… | ||
| CVE-2025-70128 | Med | 0.40 | 6.1 | 0.00 | Mar 10, 2026 | A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary… | ||
| CVE-2026-24351 | Med | 0.35 | 5.4 | 0.00 | Feb 27, 2026 | PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. The vendor was notified early about this vulnerability, but… | ||
| CVE-2026-24350 | Med | 0.35 | 5.4 | 0.00 | Feb 27, 2026 | PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authenticated attacker can upload an SVG file containing a malicious payload, which will be executed when a victim clicks the link associated with the uploaded image. In version 5.9.0-rc7 clicking the… | ||
| CVE-2017-1001001 | Med | 0.35 | 5.4 | 0.01 | Nov 1, 2017 | PluXml version 5.6 is vulnerable to stored cross-site scripting vulnerability, within the article creation page, which can result in escalation of privileges. | ||
| CVE-2025-70129 | Med | 0.34 | 5.3 | 0.00 | Mar 10, 2026 | If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be automatically recognized for articles, such that an automated script is able to solve this anti-spam mechanism trivially and… | ||
| CVE-2025-15438 | Med | 0.31 | 4.7 | 0.00 | Jan 2, 2026 | A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deserialization. The attack can be… | ||
| CVE-2012-2227 | 0.04 | — | 0.10 | Aug 26, 2012 | Directory traversal vulnerability in update/index.php in PluXml before 5.1.6 allows remote attackers to include and execute arbitrary local files via a ..%2F (encoded dot dot slash) in the default_lang parameter. | |||
| CVE-2007-3432 | 0.04 | — | 0.08 | Jun 27, 2007 | Unrestricted file upload vulnerability in admin/images.php in Pluxml 0.3.1 allows remote attackers to upload and execute arbitrary PHP code via a .jpg filename. | |||
| CVE-2007-3542 | 0.03 | — | 0.02 | Jul 3, 2007 | Cross-site scripting (XSS) vulnerability in admin/auth.php in Pluxml 0.3.1 allows remote attackers to inject arbitrary web script or HTML via the msg parameter. | |||
| CVE-2025-67436 | 0.00 | — | 0.01 | Dec 22, 2025 | Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inject a malicious PHP webshell into a theme file (e.g., home.php). | |||
| CVE-2024-22636 | 0.00 | — | 0.01 | Jan 25, 2024 | PluXml Blog v5.8.9 was discovered to contain a remote code execution (RCE) vulnerability in the Static Pages feature. This vulnerability is exploited via injecting a crafted payload into the Content field. | |||
| CVE-2022-25020 | 0.00 | — | 0.01 | Mar 1, 2022 | A cross-site scripting (XSS) vulnerability in Pluxml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the thumbnail path of a blog post. | |||
| CVE-2022-25018 | 0.00 | — | 0.03 | Mar 1, 2022 | Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages. | |||
| CVE-2022-24587 | 0.00 | — | 0.01 | Feb 15, 2022 | A stored cross-site scripting (XSS) vulnerability in the component core/admin/medias.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML. | |||
| CVE-2022-24585 | 0.00 | — | 0.01 | Feb 15, 2022 | A stored cross-site scripting (XSS) vulnerability in the component /core/admin/comment.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the author parameter. | |||
| CVE-2022-24586 | 0.00 | — | 0.01 | Feb 15, 2022 | A stored cross-site scripting (XSS) vulnerability in the component /core/admin/categories.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content and thumbnail parameters. | |||
| CVE-2021-38603 | 0.00 | — | 0.01 | Aug 12, 2021 | PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Information field. | |||
| CVE-2021-38602 | 0.00 | — | 0.01 | Aug 12, 2021 | PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content. | |||
| CVE-2020-18185 | 0.00 | — | 0.02 | Oct 2, 2020 | class.plx.admin.php in PluXml 5.7 allows attackers to execute arbitrary PHP code by modify the configuration file in a linux environment. | |||
| CVE-2020-18184 | 0.00 | — | 0.01 | Oct 2, 2020 | In PluxXml V5.7,the theme edit function /PluXml/core/admin/parametres_edittpl.php allows remote attackers to execute arbitrary PHP code by placing this code into a template. | |||
| CVE-2012-4675 | 0.00 | — | 0.01 | Aug 26, 2012 | Cross-site scripting (XSS) vulnerability in PluXml 5.1.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to file update. | |||
| CVE-2012-4674 | 0.00 | — | 0.01 | Aug 26, 2012 | PluXml before 5.1.6 allows remote attackers to obtain the installation path via the PHPSESSID. |
- risk 0.64cvss 9.8epss 0.00
PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was…
- risk 0.64cvss 9.8epss 0.01
A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted payload into a template.
- risk 0.59cvss 9.1epss 0.01
A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code…
- risk 0.40cvss 6.1epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary…
- risk 0.35cvss 5.4epss 0.00
PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. The vendor was notified early about this vulnerability, but…
- risk 0.35cvss 5.4epss 0.00
PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authenticated attacker can upload an SVG file containing a malicious payload, which will be executed when a victim clicks the link associated with the uploaded image. In version 5.9.0-rc7 clicking the…
- risk 0.35cvss 5.4epss 0.01
PluXml version 5.6 is vulnerable to stored cross-site scripting vulnerability, within the article creation page, which can result in escalation of privileges.
- risk 0.34cvss 5.3epss 0.00
If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be automatically recognized for articles, such that an automated script is able to solve this anti-spam mechanism trivially and…
- risk 0.31cvss 4.7epss 0.00
A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deserialization. The attack can be…
- CVE-2012-2227Aug 26, 2012risk 0.04cvss —epss 0.10
Directory traversal vulnerability in update/index.php in PluXml before 5.1.6 allows remote attackers to include and execute arbitrary local files via a ..%2F (encoded dot dot slash) in the default_lang parameter.
- CVE-2007-3432Jun 27, 2007risk 0.04cvss —epss 0.08
Unrestricted file upload vulnerability in admin/images.php in Pluxml 0.3.1 allows remote attackers to upload and execute arbitrary PHP code via a .jpg filename.
- CVE-2007-3542Jul 3, 2007risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in admin/auth.php in Pluxml 0.3.1 allows remote attackers to inject arbitrary web script or HTML via the msg parameter.
- CVE-2025-67436Dec 22, 2025risk 0.00cvss —epss 0.01
Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inject a malicious PHP webshell into a theme file (e.g., home.php).
- CVE-2024-22636Jan 25, 2024risk 0.00cvss —epss 0.01
PluXml Blog v5.8.9 was discovered to contain a remote code execution (RCE) vulnerability in the Static Pages feature. This vulnerability is exploited via injecting a crafted payload into the Content field.
- CVE-2022-25020Mar 1, 2022risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability in Pluxml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the thumbnail path of a blog post.
- CVE-2022-25018Mar 1, 2022risk 0.00cvss —epss 0.03
Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages.
- CVE-2022-24587Feb 15, 2022risk 0.00cvss —epss 0.01
A stored cross-site scripting (XSS) vulnerability in the component core/admin/medias.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML.
- CVE-2022-24585Feb 15, 2022risk 0.00cvss —epss 0.01
A stored cross-site scripting (XSS) vulnerability in the component /core/admin/comment.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the author parameter.
- CVE-2022-24586Feb 15, 2022risk 0.00cvss —epss 0.01
A stored cross-site scripting (XSS) vulnerability in the component /core/admin/categories.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content and thumbnail parameters.
- CVE-2021-38603Aug 12, 2021risk 0.00cvss —epss 0.01
PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Information field.
- CVE-2021-38602Aug 12, 2021risk 0.00cvss —epss 0.01
PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content.
- CVE-2020-18185Oct 2, 2020risk 0.00cvss —epss 0.02
class.plx.admin.php in PluXml 5.7 allows attackers to execute arbitrary PHP code by modify the configuration file in a linux environment.
- CVE-2020-18184Oct 2, 2020risk 0.00cvss —epss 0.01
In PluxXml V5.7,the theme edit function /PluXml/core/admin/parametres_edittpl.php allows remote attackers to execute arbitrary PHP code by placing this code into a template.
- CVE-2012-4675Aug 26, 2012risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in PluXml 5.1.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to file update.
- CVE-2012-4674Aug 26, 2012risk 0.00cvss —epss 0.01
PluXml before 5.1.6 allows remote attackers to obtain the installation path via the PHPSESSID.