CVE-2025-70128

Source
https://cve.org/CVERecord?id=CVE-2025-70128
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-70128.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-70128
Downstream
Published
2026-03-10T00:00:00Z
Modified
2026-07-08T08:12:20.420926875Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary JavaScript code using a <script> element. The injected payload is stored in the database and subsequently rendered in the Administration panel's "Comments" section when administrators review submitted comments. Importantly, the malicious script is not reflected in the public-facing comments interface, but only within the backend administration view. Alternatively, users of Administrator, Moderator, Manager roles can also directly input crafted payloads into existing comments. This makes the vulnerability a persistent XSS issue targeting administrative users. This affects /core/admin/comments.php, while CVE-2022-24585 affects /core/admin/comment.php, a uniquely distinct vulnerability.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/70xxx/CVE-2025-70128.json",
    "cna_assigner": "mitre"
}
References

Affected packages

Git / github.com/pluxml/pluxml

Affected ranges

Type
GIT
Repo
https://github.com/pluxml/pluxml
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:pluxml:pluxml:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.8.22"
        }
    ]
}

Affected versions

5.*
5.4
5.5
5.6
5.8.9
v5.*
v5.7
v5.8
v5.8.1
v5.8.12
v5.8.13
v5.8.14
v5.8.15
v5.8.16
v5.8.17
v5.8.18
v5.8.19
v5.8.2
v5.8.20
v5.8.21
v5.8.22
v5.8.22-urlredirection
v5.8.3
v5.8.5
v5.8.7
v5.8.8
v5.8.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-70128.json"