CVE-2025-70128
Received Received - Intake
Stored XSS in PluXml Admin Comments Allows Persistent Script Injection

Publication date: 2026-03-10

Last updated on: 2026-04-07

Assigner: MITRE

Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary JavaScript code using a <script> element. The injected payload is stored in the database and subsequently rendered in the Administration panel's "Comments" section when administrators review submitted comments. Importantly, the malicious script is not reflected in the public-facing comments interface, but only within the backend administration view. Alternatively, users of Administrator, Moderator, Manager roles can also directly input crafted payloads into existing comments. This makes the vulnerability a persistent XSS issue targeting administrative users. This affects /core/admin/comments.php, while CVE-2022-24585 affects /core/admin/comment.php, a uniquely distinct vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-70128
EUVD
EUVD-2025-208518
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pluxml pluxml to 5.8.22 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue found in the PluXml article comments feature for versions 5.8.22 and earlier. It occurs because the application does not properly sanitize or validate user input in the "link" field of a comment. An attacker can inject malicious JavaScript code using a <script> element, which is then stored in the database.

The injected script is executed when administrators view the "Comments" section in the backend administration panel. This means the attack targets administrative users rather than the public-facing comment interface. Additionally, users with Administrator, Moderator, or Manager roles can also input crafted payloads into existing comments, making this a persistent XSS vulnerability affecting the backend.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code within the administration panel of PluXml. Since the malicious script runs in the context of administrative users, it can lead to unauthorized actions such as stealing administrator session cookies, performing actions on behalf of administrators, or compromising the integrity of the administrative interface.

Because the attack targets privileged users, it can result in a significant security breach, potentially allowing attackers to gain control over the content management system or access sensitive administrative functions.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70128. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart