CVE-2025-70129

Medium CVSS: 5.3

If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be automatically recognized for articles, such that an automated script is able to solve this anti-spam mechanism trivially and publish spam comments. The details of captcha challenge are exposed within document body of articles with comments & anti spam-captcha functionalities enabled, including "capcha-letter", "capcha-word" and "capcha-token" which can be used to construct a valid post request to publish a comment. As such, attackers can flood articles with automated spam comments, especially if there are no other web defenses available.

Vendor

Pluxml

Product

Pluxml

CWE

CWE-804

Yayın Tarihi

2026-03-10 20:16:20

Güncelleme

2026-04-07 01:21:14

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-804 Pluxml MEDIUM Pluxml 2026

Referanslar

https://github.com/forest4x/vuln-research-public/blob/main/CVE-2025-70129.pdf https://youtu.be/dD2olE4yMqY

Benzer Kayıtlar

Medium

CVE-2025-70128

A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.…

Medium

CVE-2026-24351

PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can injec…

Medium

CVE-2026-24352

PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the sa…

Medium

CVE-2026-24350

PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authenticated attacker can upload an SVG file…

Medium

CVE-2025-15438

A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file co…

Medium

CVE-2025-67436

Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inj…