Skip to main content

PluXml CVE-2025-57567

CRITICAL
Code Injection (CWE-94)
2025-10-17 cve@mitre.org
9.1
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.1 CRITICAL

Network-reachable admin panel (AV:N/AC:L), requires administrator so PR:H; writing an executable PHP file escalates from web app to OS (S:C) with full host compromise (C/I/A:H).

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 02:54 vuln.today

DescriptionCVE.org

A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code via the admin panel, enabling execution of system commands.

AnalysisAI

Authenticated remote code execution in the PluXml flat-file CMS lets an administrator abuse the built-in theme editor to overwrite /themes/defaut/css/minify.php with arbitrary PHP, turning legitimate admin file-editing into full server command execution. The flaw (CWE-94 code injection) requires high privileges (admin) but no user interaction, and its CVSS 3.1 score of 9.1 reflects a scope change from the web application to the underlying OS. No public exploit code is confirmed beyond a vulnerability-disclosure PDF, and EPSS is low (0.90%), consistent with an admin-only prerequisite.

Technical ContextAI

PluXml is a lightweight, XML/flat-file-based PHP CMS that stores content and themes as files rather than in a database, and ships an administrative theme/CSS editor that writes directly to files on disk. The vulnerable component is minify.php under the default theme's CSS directory (/themes/defaut/css/minify.php), an executable PHP file within the web root. Because the editor permits saving arbitrary content to a .php file that the web server will subsequently interpret, this is a classic CWE-94 (Improper Control of Generation of Code / code injection) issue: attacker-controlled data is written into a script that is later executed by the PHP engine, giving OS-level command execution in the context of the web server user.

Affected ProductsAI

The affected product is the PluXml CMS (a PHP flat-file content management system), specifically its administrative theme editor and the default theme file at /themes/defaut/css/minify.php. The disclosure does not enumerate exact fixed/affected version numbers, and NVD provides no CPE range in the supplied data, so the precise affected version window is not independently confirmed. The only reference is the researcher's disclosure write-up at https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-57567.pdf; no official vendor advisory URL is present in the provided intelligence.

RemediationAI

No vendor-released patch identified at time of analysis and no exact fix version is provided in the source data, so remediation must rely on compensating controls until PluXml publishes a fixed release. Restrict administrator accounts to trusted personnel and enforce strong, unique credentials plus MFA at the reverse proxy, since exploitation requires admin access. As a concrete hardening step, make the theme directory non-writable by the web server user (chmod/chown so /themes/ and its .php files cannot be modified at runtime), which blocks the overwrite but disables in-panel theme editing. Additionally, configure the web/PHP layer to deny execution of PHP within the theme CSS directory (e.g., an nginx/Apache rule that serves /themes/defaut/css/ as static or a php_admin_flag engine off / location block), accepting that any legitimately dynamic asset there will stop functioning. Monitor for modifications to minify.php via file-integrity monitoring, and consult the disclosure at https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-57567.pdf for reproduction details; track the PluXml project for an official patched version and upgrade as soon as it is released.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2025-57567 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy