Primary

Context

PluXml Stored Cross-Site Scripting Vulnerability in Article Comments Feature

Vulnerability

A stored cross-site scripting vulnerability has been identified in the PluXml article comments feature, affecting versions through 5.8.22. The issue arises because the application does not properly sanitize user input in the 'link' field of comments. This allows attackers to inject arbitrary JavaScript, which is then stored in the database and executed in the Administration panel's 'Comments' section. While the malicious script does not appear in the public comments interface, it can be directly injected into existing comments by users with Administrator, Moderator, or Manager roles. This vulnerability specifically impacts '/core/admin/comments.php'.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the comments in the administration panel.

Added: Mar 10, 2026, 8:50 PM

Updated: Mar 10, 2026, 8:50 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

5.4

exploitability

6.5

remediation

0.0

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

5.4

exploitability

6.5

remediation

0.0

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PluXml Stored Cross-Site Scripting Vulnerability in Article Comments Feature

Vulnerability

Impact

Affected Products

PluXml

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating