CVE-2025-70129
Received Received - Intake
Captcha Bypass in PluXml 5.8.22 Enables Automated Spam Comments

Publication date: 2026-03-10

Last updated on: 2026-04-07

Assigner: MITRE

Description
If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be automatically recognized for articles, such that an automated script is able to solve this anti-spam mechanism trivially and publish spam comments. The details of captcha challenge are exposed within document body of articles with comments & anti spam-captcha functionalities enabled, including "capcha-letter", "capcha-word" and "capcha-token" which can be used to construct a valid post request to publish a comment. As such, attackers can flood articles with automated spam comments, especially if there are no other web defenses available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-70129
EUVD
EUVD-2025-208520
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pluxml pluxml to 5.8.22 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-804 The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in PluXml versions 5.8.22 and earlier when the anti spam-captcha functionality is enabled. The captcha challenge generated for articles can be automatically recognized and solved by automated scripts because the captcha details such as "capcha-letter", "capcha-word", and "capcha-token" are exposed within the document body of articles that have comments and anti spam-captcha enabled.

As a result, attackers can easily bypass the anti-spam mechanism and publish spam comments automatically.

Impact Analysis

This vulnerability allows attackers to flood articles with automated spam comments by trivially solving the captcha challenge.

If there are no other web defenses in place, this can lead to a significant increase in spam content on your website, which may degrade user experience, harm your site's reputation, and potentially affect site performance.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70129. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart