PluXml CMS Session Fixation Vulnerability Allowing Session Hijacking

Vulnerability

A session fixation vulnerability has been identified in PluXml CMS versions 5.8.21 and 5.9.0-rc7. This vulnerability allows an attacker to set a session identifier for a user before authentication, with the session ID remaining unchanged after the user logs in. As a result, the attacker can hijack the authenticated session of the user. While only these two versions have been tested and confirmed vulnerable, other versions may also be affected.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can take over an authenticated user's session.

Added: Feb 27, 2026, 12:18 PM

Updated: Feb 27, 2026, 2:11 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.3

exploitability

6.5

remediation

0.0

relevance

3.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.3

exploitability

6.5

remediation

0.0

relevance

3.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PluXml CMS Session Fixation Vulnerability Allowing Session Hijacking

Vulnerability

Impact

Affected Products

PluXml

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating