PluXml CVE-2025-57567
CRITICALSeverity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Network-reachable admin panel (AV:N/AC:L), requires administrator so PR:H; writing an executable PHP file escalates from web app to OS (S:C) with full host compromise (C/I/A:H).
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code via the admin panel, enabling execution of system commands.
AnalysisAI
Authenticated remote code execution in the PluXml flat-file CMS lets an administrator abuse the built-in theme editor to overwrite /themes/defaut/css/minify.php with arbitrary PHP, turning legitimate admin file-editing into full server command execution. The flaw (CWE-94 code injection) requires high privileges (admin) but no user interaction, and its CVSS 3.1 score of 9.1 reflects a scope change from the web application to the underlying OS. No public exploit code is confirmed beyond a vulnerability-disclosure PDF, and EPSS is low (0.90%), consistent with an admin-only prerequisite.
Technical ContextAI
PluXml is a lightweight, XML/flat-file-based PHP CMS that stores content and themes as files rather than in a database, and ships an administrative theme/CSS editor that writes directly to files on disk. The vulnerable component is minify.php under the default theme's CSS directory (/themes/defaut/css/minify.php), an executable PHP file within the web root. Because the editor permits saving arbitrary content to a .php file that the web server will subsequently interpret, this is a classic CWE-94 (Improper Control of Generation of Code / code injection) issue: attacker-controlled data is written into a script that is later executed by the PHP engine, giving OS-level command execution in the context of the web server user.
Affected ProductsAI
The affected product is the PluXml CMS (a PHP flat-file content management system), specifically its administrative theme editor and the default theme file at /themes/defaut/css/minify.php. The disclosure does not enumerate exact fixed/affected version numbers, and NVD provides no CPE range in the supplied data, so the precise affected version window is not independently confirmed. The only reference is the researcher's disclosure write-up at https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-57567.pdf; no official vendor advisory URL is present in the provided intelligence.
RemediationAI
No vendor-released patch identified at time of analysis and no exact fix version is provided in the source data, so remediation must rely on compensating controls until PluXml publishes a fixed release. Restrict administrator accounts to trusted personnel and enforce strong, unique credentials plus MFA at the reverse proxy, since exploitation requires admin access. As a concrete hardening step, make the theme directory non-writable by the web server user (chmod/chown so /themes/ and its .php files cannot be modified at runtime), which blocks the overwrite but disables in-panel theme editing. Additionally, configure the web/PHP layer to deny execution of PHP within the theme CSS directory (e.g., an nginx/Apache rule that serves /themes/defaut/css/ as static or a php_admin_flag engine off / location block), accepting that any legitimately dynamic asset there will stop functioning. Monitor for modifications to minify.php via file-integrity monitoring, and consult the disclosure at https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-57567.pdf for reproduction details; track the PluXml project for an official patched version and upgrade as soon as it is released.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today