CVE-2025-15438
Unknown Unknown - Not Provided
Remote Deserialization Vulnerability in PluXml Media Module

Publication date: 2026-01-02

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was informed early about this issue and announced that "[w]e fix this issue in the next version 5.8.23". A patch for it is ready.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-02
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-02
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15438
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pluxml pluxml to 5.8.22 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15438 is a critical deserialization vulnerability in PluXml CMS up to version 5.8.22, specifically in the Media Management module's file renaming functionality. An attacker can upload a malicious Phar archive disguised as an image file and then exploit the file rename process by manipulating the file path to trigger deserialization of the Phar archive. This deserialization occurs via the FileCookieJar::__destruct() method in the Guzzle HTTP library, which leads to arbitrary PHP code execution on the server by writing a web shell file. The vulnerability requires disabling the phar.readonly setting in PHP and involves user-controlled parameters in the backend file rename operation. [1, 3]

Impact Analysis

This vulnerability allows a remote attacker with authentication to execute arbitrary PHP code on the affected server by uploading a crafted Phar file and triggering its deserialization. This can lead to full compromise of the server, including confidentiality, integrity, and availability impacts. The attacker can write a web shell to the server, enabling persistent remote access and control over the system. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for suspicious file uploads and rename operations involving phar stream wrappers in the backend, especially targeting the core/admin/medias.php file. You can look for HTTP POST requests with parameters 'oldname' or 'newname' containing 'phar://' paths. Additionally, searching your web server logs for accesses to core/admin/medias.php and unusual file rename activities may help. Using Google dorking with queries like 'inurl:core/admin/medias.php' can identify vulnerable targets. Specific commands to detect this might include: 1) Using grep on web server logs to find suspicious POST requests: `grep -i 'phar://' /var/log/apache2/access.log` 2) Searching for accesses to the vulnerable script: `grep 'core/admin/medias.php' /var/log/apache2/access.log` 3) Monitoring file system changes in the media upload directories for unexpected PHP files or renamed files with .jpg extensions that are actually phar archives. However, no direct detection commands are provided in the resources. [2, 1]

Mitigation Strategies

Immediate mitigation steps include: 1) Applying the vendor's patch by upgrading PluXml to version 5.8.23 or later, where the vulnerability is fixed. 2) Restricting or disabling file upload and rename functionalities in the media management module until patched. 3) Ensuring the PHP configuration directive 'phar.readonly' is enabled to prevent phar deserialization exploits. 4) Limiting access to the backend admin interface to trusted users only, as exploitation requires authentication. 5) Monitoring and blocking suspicious requests involving 'phar://' stream wrappers. 6) Considering alternative products if patching is not immediately possible. These steps help prevent exploitation of the deserialization vulnerability and remote code execution. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15438. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart