CVE-2025-70128
Received Received - Intake
Stored XSS in PluXml Admin Comments Allows Persistent Script Injection

Publication date: 2026-03-10

Last updated on: 2026-04-07

Assigner: MITRE

Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary JavaScript code using a <script> element. The injected payload is stored in the database and subsequently rendered in the Administration panel's "Comments" section when administrators review submitted comments. Importantly, the malicious script is not reflected in the public-facing comments interface, but only within the backend administration view. Alternatively, users of Administrator, Moderator, Manager roles can also directly input crafted payloads into existing comments. This makes the vulnerability a persistent XSS issue targeting administrative users. This affects /core/admin/comments.php, while CVE-2022-24585 affects /core/admin/comment.php, a uniquely distinct vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-04-07
Generated
2026-05-07
AI Q&A
2026-03-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-70128
EUVD
EUVD-2025-208518
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pluxml pluxml to 5.8.22 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Stored Cross-Site Scripting (XSS) issue found in the PluXml article comments feature for versions 5.8.22 and earlier. It occurs because the application does not properly sanitize or validate user input in the "link" field of a comment. An attacker can inject malicious JavaScript code using a <script> element, which is then stored in the database.

The injected script is executed when administrators view the "Comments" section in the backend administration panel. This means the attack targets administrative users rather than the public-facing comment interface. Additionally, users with Administrator, Moderator, or Manager roles can also input crafted payloads into existing comments, making this a persistent XSS vulnerability affecting the backend.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code within the administration panel of PluXml. Since the malicious script runs in the context of administrative users, it can lead to unauthorized actions such as stealing administrator session cookies, performing actions on behalf of administrators, or compromising the integrity of the administrative interface.

Because the attack targets privileged users, it can result in a significant security breach, potentially allowing attackers to gain control over the content management system or access sensitive administrative functions.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart