A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was informed early about this issue and announced that "[w]e fix this issue in the next version 5.8.23". A patch for it is ready.
CVSS Score
4.7
EPSS Score
0.001
Published
2026-01-02
Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages.
CVSS Score
8.8
EPSS Score
0.066
Published
2022-03-01
A cross-site scripting (XSS) vulnerability in Pluxml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the thumbnail path of a blog post.
CVSS Score
5.4
EPSS Score
0.01
Published
2022-03-01
A stored cross-site scripting (XSS) vulnerability in the component /core/admin/comment.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the author parameter.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-02-15
A stored cross-site scripting (XSS) vulnerability in the component core/admin/medias.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-02-15
A stored cross-site scripting (XSS) vulnerability in the component /core/admin/categories.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content and thumbnail parameters.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-02-15
PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content.
CVSS Score
4.8
EPSS Score
0.005
Published
2021-08-12
PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Information field.
CVSS Score
4.8
EPSS Score
0.008
Published
2021-08-12