CVE-2025-70128 is a stored Cross-Site Scripting (XSS) vulnerability found in PluXml, an open-source CMS, affecting versions 5.8.22 and earlier. The flaw resides in the 'link' field of the article comments feature, where user input is not properly sanitized or validated, allowing an attacker to inject malicious JavaScript code encapsulated within a <script> tag. This injected code is persistently stored in the backend database and executed when administrative users access the Comments section in the administration panel (/core/admin/comments.php). Unlike reflected XSS, this stored XSS targets privileged users who review or manage comments, potentially enabling session hijacking, privilege escalation, or unauthorized actions within the admin interface. Additionally, users with Administrator, Moderator, or Manager roles can exploit this vulnerability by directly inserting crafted payloads into existing comments, increasing the attack surface. The vulnerability is distinct from CVE-2022-24585, which affects a different admin file. The CVSS 3.1 base score of 6.1 indicates a medium severity, with network attack vector, low attack complexity, no privileges required, but user interaction needed. The scope is changed due to the impact on administrative users, with limited confidentiality and integrity impacts and no availability impact. No patches or exploits are currently publicly available, but the vulnerability poses a risk to the integrity and confidentiality of administrative sessions and data.

The primary impact of CVE-2025-70128 is on the confidentiality and integrity of administrative accounts within organizations using vulnerable PluXml versions. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of the admin panel, potentially leading to session hijacking, credential theft, or unauthorized administrative actions such as modifying content or user privileges. Since the malicious script executes only in the backend, the risk is confined to users with elevated roles, reducing the attack surface but increasing the severity for those users. Organizations relying on PluXml for content management may face risks of internal compromise, data manipulation, or further lateral movement within their infrastructure. Although no availability impact is noted, the breach of administrative control can have cascading effects on website integrity and trustworthiness. The lack of known exploits in the wild suggests limited current exploitation but also highlights the need for proactive mitigation to prevent future attacks.

Organizations should immediately audit their PluXml installations and upgrade to versions beyond 5.8.22 once patches are available. In the absence of official patches, administrators should implement strict input validation and sanitization on the 'link' field in comments, employing server-side filtering to remove or encode script tags and other potentially dangerous HTML elements. Restrict administrative panel access using multi-factor authentication (MFA) and IP whitelisting to reduce exposure. Regularly review and sanitize existing comments in the database to remove any malicious payloads. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts within the admin interface. Monitor administrative user activities and logs for suspicious behavior indicative of exploitation attempts. Educate privileged users about the risks of executing untrusted content and the importance of cautious comment management. Finally, segregate administrative interfaces from public-facing systems to minimize attack vectors.