CVE-2025-67436
Authenticated RCE in PluXml CMS 5.8.22 Theme Files
Publication date: 2025-12-22
Last updated on: 2025-12-22
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pluxml | pluxml | 5.8.22 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Authenticated Remote Code Execution (RCE) flaw in PluXml CMS version 5.8.22. It allows an attacker who has access to the administrator panel to inject a malicious PHP webshell into a theme file, such as home.php. This means the attacker can insert harmful code into the website's theme files, which can then be executed remotely.
How can this vulnerability impact me? :
The vulnerability allows an attacker with administrator access to execute arbitrary PHP code on the server by injecting a malicious webshell into theme files. This can lead to full system compromise, including executing system commands, reading, modifying, or deleting sensitive files and databases, compromising confidentiality, integrity, and availability of the system, and potentially establishing persistent backdoors.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for suspicious file uploads, especially ZIP archives uploaded via the admin panel, and checking for unexpected PHP files in theme directories such as home.php. File integrity checks on theme files can help identify unauthorized modifications. Commands to detect suspicious PHP files could include: `find /path/to/pluxml/themes/ -name '*.php' -exec grep -l '<?php' {} +` to find PHP files, and `diff` or `sha256sum` to compare current theme files against known good versions. Additionally, monitoring web server logs for unusual access patterns to theme PHP files may help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting module upload access strictly to trusted administrators, monitoring upload activities for suspicious ZIP files, and performing file integrity checks to detect malicious uploads. Ensuring that only authorized personnel have admin panel access and disabling or limiting the ability to upload modules or themes can reduce risk. Regularly updating PluXml CMS to the latest secure version and reviewing uploaded files for unexpected PHP code are also recommended. [2]