CVE-2025-15438
Remote Deserialization Vulnerability in PluXml Media Module
Publication date: 2026-01-02
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pluxml | pluxml | to 5.8.22 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15438 is a critical deserialization vulnerability in PluXml CMS up to version 5.8.22, specifically in the Media Management module's file renaming functionality. An attacker can upload a malicious Phar archive disguised as an image file and then exploit the file rename process by manipulating the file path to trigger deserialization of the Phar archive. This deserialization occurs via the FileCookieJar::__destruct() method in the Guzzle HTTP library, which leads to arbitrary PHP code execution on the server by writing a web shell file. The vulnerability requires disabling the phar.readonly setting in PHP and involves user-controlled parameters in the backend file rename operation. [1, 3]
How can this vulnerability impact me? :
This vulnerability allows a remote attacker with authentication to execute arbitrary PHP code on the affected server by uploading a crafted Phar file and triggering its deserialization. This can lead to full compromise of the server, including confidentiality, integrity, and availability impacts. The attacker can write a web shell to the server, enabling persistent remote access and control over the system. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious file uploads and rename operations involving phar stream wrappers in the backend, especially targeting the core/admin/medias.php file. You can look for HTTP POST requests with parameters 'oldname' or 'newname' containing 'phar://' paths. Additionally, searching your web server logs for accesses to core/admin/medias.php and unusual file rename activities may help. Using Google dorking with queries like 'inurl:core/admin/medias.php' can identify vulnerable targets. Specific commands to detect this might include: 1) Using grep on web server logs to find suspicious POST requests: `grep -i 'phar://' /var/log/apache2/access.log` 2) Searching for accesses to the vulnerable script: `grep 'core/admin/medias.php' /var/log/apache2/access.log` 3) Monitoring file system changes in the media upload directories for unexpected PHP files or renamed files with .jpg extensions that are actually phar archives. However, no direct detection commands are provided in the resources. [2, 1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Applying the vendor's patch by upgrading PluXml to version 5.8.23 or later, where the vulnerability is fixed. 2) Restricting or disabling file upload and rename functionalities in the media management module until patched. 3) Ensuring the PHP configuration directive 'phar.readonly' is enabled to prevent phar deserialization exploits. 4) Limiting access to the backend admin interface to trusted users only, as exploitation requires authentication. 5) Monitoring and blocking suspicious requests involving 'phar://' stream wrappers. 6) Considering alternative products if patching is not immediately possible. These steps help prevent exploitation of the deserialization vulnerability and remote code execution. [1, 2, 3]