Description

A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary JavaScript code using a <script> element. The injected payload is stored in the database and subsequently rendered in the Administration panel's "Comments" section when administrators review submitted comments. Importantly, the malicious script is not reflected in the public-facing comments interface, but only within the backend administration view. Alternatively, users of Administrator, Moderator, Manager roles can also directly input crafted payloads into existing comments. This makes the vulnerability a persistent XSS issue targeting administrative users. This affects /core/admin/comments.php, while CVE-2022-24585 affects /core/admin/comment.php, a uniquely distinct vulnerability.

INFO

Published Date :

2026-03-10T00:00:00.000Z

Last Modified :

2026-03-12T18:41:43.048Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-70128 vulnerability.

Vendors Products
Pluxml
  • Pluxml
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-70128.

URL Resource
https://github.com/forest4x/vuln-research-public/blob/main/CVE-2025-70128.pdf cve-icon cve-icon cve-icon
https://youtu.be/iOXWpiljV0w cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact