CVE-2025-70128

Exploit

EPSS 0.03%
Veröffentlicht 10.03.2026 00:00:00
Zuletzt bearbeitet 07.04.2026 01:21:59
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary JavaScript code using a <script> element. The injected payload is stored in the database and subsequently rendered in the Administration panel's "Comments" section when administrators review submitted comments. Importantly, the malicious script is not reflected in the public-facing comments interface, but only within the backend administration view. Alternatively, users of Administrator, Moderator, Manager roles can also directly input crafted payloads into existing comments. This makes the vulnerability a persistent XSS issue targeting administrative users. This affects /core/admin/comments.php, while CVE-2022-24585 affects /core/admin/comment.php, a uniquely distinct vulnerability.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pluxml ≫ Pluxml Version <= 5.8.22

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.094

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://youtu.be/iOXWpiljV0w

Exploit

https://github.com/forest4x/vuln-research-public/blob/main/CVE-2025-70128.pdf

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-70128

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-70128

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-70128

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-70128