Pluxml

Pluxml

22 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8

CVE-2026-24352

  • EPSS 0.05%
  • Veröffentlicht 27.02.2026 11:35:27
  • Zuletzt bearbeitet 27.02.2026 18:36:00

PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated se...

5.4

CVE-2026-24351

  • EPSS 0.05%
  • Veröffentlicht 27.02.2026 11:35:23
  • Zuletzt bearbeitet 27.02.2026 18:34:15

PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. The vendor was notified early ab...

5.4

CVE-2026-24350

  • EPSS 0.05%
  • Veröffentlicht 27.02.2026 11:35:08
  • Zuletzt bearbeitet 27.02.2026 18:33:58

PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authenticated attacker can upload an SVG file containing a malicious payload, which will be executed when a victim clicks the link associated with the uploaded image. In versi...

7.2

CVE-2025-15438

Exploit
  • EPSS 0.06%
  • Veröffentlicht 02.01.2026 14:32:11
  • Zuletzt bearbeitet 27.02.2026 03:45:54

A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deserializ...

6.5

CVE-2025-67436

Exploit
  • EPSS 0.16%
  • Veröffentlicht 22.12.2025 00:00:00
  • Zuletzt bearbeitet 02.01.2026 16:58:24

Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inject a malicious PHP webshell into a theme file (e.g., home.php).

9.1

CVE-2025-57567

  • EPSS 0.47%
  • Veröffentlicht 17.10.2025 00:00:00
  • Zuletzt bearbeitet 21.10.2025 19:31:50

A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this f...

9.8

CVE-2024-48138

  • EPSS 2.14%
  • Veröffentlicht 29.10.2024 22:15:03
  • Zuletzt bearbeitet 01.11.2024 12:57:35

A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted payload into a template.

8.8

CVE-2024-22636

Exploit
  • EPSS 4.77%
  • Veröffentlicht 25.01.2024 21:15:09
  • Zuletzt bearbeitet 30.05.2025 15:15:32

PluXml Blog v5.8.9 was discovered to contain a remote code execution (RCE) vulnerability in the Static Pages feature. This vulnerability is exploited via injecting a crafted payload into the Content field.

5.4

CVE-2022-25020

Exploit
  • EPSS 0.99%
  • Veröffentlicht 01.03.2022 02:15:07
  • Zuletzt bearbeitet 21.11.2024 06:51:33

A cross-site scripting (XSS) vulnerability in Pluxml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the thumbnail path of a blog post.

8.8

CVE-2022-25018

Exploit
  • EPSS 6.56%
  • Veröffentlicht 01.03.2022 02:15:07
  • Zuletzt bearbeitet 21.11.2024 06:51:33

Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages.