Skip to main content

Pluxml

13 CVEs product

Monthly

CVE-2025-70129 MEDIUM This Month

If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be automatically recognized for articles, such that an automated script is able to solve this anti-spam mechanism trivially and publish spam comments. [CVSS 5.3 MEDIUM]

Information Disclosure Pluxml
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24351 MEDIUM This Month

PluXml CMS versions 5.8.21 and 5.9.0-rc7 contain a stored cross-site scripting vulnerability in the static pages editor that allows authenticated users with editing privileges to inject malicious JavaScript and HTML into pages. When other users visit the compromised pages, the injected code executes in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available from the vendor.

XSS Pluxml
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-24350 MEDIUM This Month

Stored XSS in PluXml CMS file upload functionality allows authenticated attackers to embed malicious payloads in SVG files that execute when victims directly access the uploaded files. The vulnerability affects at least versions 5.8.21 and 5.9.0-rc7, with other versions untested. No patch is currently available from the vendor.

XSS Pluxml
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2024-22636 HIGH POC This Week

PluXml Blog v5.8.9 was discovered to contain a remote code execution (RCE) vulnerability in the Static Pages feature. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Pluxml
NVD GitHub
CVSS 3.1
8.8
EPSS
1.3%
CVE-2022-25020 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in Pluxml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the thumbnail path of a blog post. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Pluxml
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
1.2%
CVE-2022-25018 HIGH POC This Week

Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE PHP Pluxml
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
2.6%
CVE-2021-38603 MEDIUM POC This Month

PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Information field. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Pluxml
NVD GitHub
CVSS 3.1
4.8
EPSS
1.1%
CVE-2021-38602 MEDIUM POC This Month

PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Pluxml
NVD GitHub
CVSS 3.1
4.8
EPSS
0.8%
CVE-2020-18185 CRITICAL POC Act Now

class.plx.admin.php in PluXml 5.7 allows attackers to execute arbitrary PHP code by modify the configuration file in a linux environment. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection PHP Pluxml
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2017-1001001 MEDIUM This Month

PluXml version 5.6 is vulnerable to stored cross-site scripting vulnerability, within the article creation page, which can result in escalation of privileges. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Pluxml
NVD GitHub
CVSS 3.0
5.4
EPSS
0.2%
CVE-2012-4675 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in PluXml 5.1.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to file update. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Pluxml
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2012-4674 MEDIUM This Month

PluXml before 5.1.6 allows remote attackers to obtain the installation path via the PHPSESSID. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Pluxml
NVD
CVSS 2.0
5.0
EPSS
0.2%
CVE-2012-2227 HIGH POC THREAT Act Now

Directory traversal vulnerability in update/index.php in PluXml before 5.1.6 allows remote attackers to include and execute arbitrary local files via a ..%2F (encoded dot dot slash) in the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 14.4%.

PHP Path Traversal Pluxml
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
14.4%
EPSS 0% CVSS 5.3
MEDIUM This Month

If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be automatically recognized for articles, such that an automated script is able to solve this anti-spam mechanism trivially and publish spam comments. [CVSS 5.3 MEDIUM]

Information Disclosure Pluxml
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

PluXml CMS versions 5.8.21 and 5.9.0-rc7 contain a stored cross-site scripting vulnerability in the static pages editor that allows authenticated users with editing privileges to inject malicious JavaScript and HTML into pages. When other users visit the compromised pages, the injected code executes in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available from the vendor.

XSS Pluxml
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in PluXml CMS file upload functionality allows authenticated attackers to embed malicious payloads in SVG files that execute when victims directly access the uploaded files. The vulnerability affects at least versions 5.8.21 and 5.9.0-rc7, with other versions untested. No patch is currently available from the vendor.

XSS Pluxml
NVD VulDB
EPSS 1% CVSS 8.8
HIGH POC This Week

PluXml Blog v5.8.9 was discovered to contain a remote code execution (RCE) vulnerability in the Static Pages feature. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Pluxml
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in Pluxml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the thumbnail path of a blog post. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Pluxml
NVD GitHub VulDB
EPSS 3% CVSS 8.8
HIGH POC This Week

Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE PHP +1
NVD GitHub VulDB
EPSS 1% CVSS 4.8
MEDIUM POC This Month

PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Information field. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Pluxml
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC This Month

PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Pluxml
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

class.plx.admin.php in PluXml 5.7 allows attackers to execute arbitrary PHP code by modify the configuration file in a linux environment. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection PHP +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

PluXml version 5.6 is vulnerable to stored cross-site scripting vulnerability, within the article creation page, which can result in escalation of privileges. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Pluxml
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in PluXml 5.1.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to file update. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Pluxml
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

PluXml before 5.1.6 allows remote attackers to obtain the installation path via the PHPSESSID. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Pluxml
NVD
EPSS 14% CVSS 7.5
HIGH POC THREAT Act Now

Directory traversal vulnerability in update/index.php in PluXml before 5.1.6 allows remote attackers to include and execute arbitrary local files via a ..%2F (encoded dot dot slash) in the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 14.4%.

PHP Path Traversal Pluxml
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy