Vulnerability Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary JavaScript code using a <script> element. The injected payload is stored in the database and subsequently rendered in the Administration panel's "Comments" section when administrators review submitted comments. Importantly, the malicious script is not reflected in the public-facing comments interface, but only within the backend administration view. Alternatively, users of Administrator, Moderator, Manager roles can also directly input crafted payloads into existing comments. This makes the vulnerability a persistent XSS issue targeting administrative users. This affects /core/admin/comments.php, while CVE-2022-24585 affects /core/admin/comment.php, a uniquely distinct vulnerability.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pluxml | Pluxml | <= 5.8.22 |
Related Weaknesses (CWE)
References
- https://github.com/forest4x/vuln-research-public/blob/main/CVE-2025-70128.pdfExploitThird Party Advisory
- https://youtu.be/iOXWpiljV0wExploit
- https://github.com/forest4x/vuln-research-public/blob/main/CVE-2025-70128.pdfExploitThird Party Advisory
FAQ
What is CVE-2025-70128?
CVE-2025-70128 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supp...
How severe is CVE-2025-70128?
CVE-2025-70128 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-70128?
Check the references section above for vendor advisories and patch information. Affected products include: Pluxml Pluxml.