CVE-2025-70128 is a stored Cross-Site Scripting (XSS) vulnerability identified in the PluXml content management system, specifically affecting versions 5.8.22 and earlier. The vulnerability exists due to insufficient input validation and sanitization of the 'link' field within the article comments feature. Attackers can inject arbitrary JavaScript code encapsulated within <script> tags, which is then persistently stored in the application's database. When administrators or users with elevated privileges (Administrator, Moderator, Manager) access the Comments section in the backend administration panel (/core/admin/comments.php), the malicious script executes in their browsers. Unlike reflected XSS, this persistent XSS does not affect the public-facing comment display, limiting the attack surface to backend users. Furthermore, authorized users with elevated roles can also craft and inject malicious payloads into existing comments, increasing the risk of insider threats or privilege abuse. The vulnerability is distinct from CVE-2022-24585, which affects a different admin comment interface endpoint. No patches or exploit code are currently publicly available, and no CVSS score has been assigned. The vulnerability's exploitation could lead to session hijacking, credential theft, unauthorized actions within the admin panel, or deployment of further attacks such as malware installation or privilege escalation.

The primary impact of CVE-2025-70128 is on the confidentiality and integrity of administrative accounts within organizations using PluXml CMS. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of privileged backend users, potentially leading to session hijacking, theft of authentication tokens, or unauthorized administrative actions. This can compromise the entire CMS, enabling attackers to modify content, escalate privileges, or deploy additional malware. Although the public-facing site is not directly affected, the backend compromise can have severe consequences, including data breaches, defacement, or loss of control over the website. Organizations relying on PluXml for content management, especially those with multiple administrators or moderators, face increased risk. The lack of known exploits in the wild suggests limited current impact, but the vulnerability's persistence and targeting of high-privilege users make it a significant threat if weaponized. Additionally, insider threats or compromised admin accounts could leverage this vulnerability to maintain persistence or evade detection.

To mitigate CVE-2025-70128, organizations should first verify if they are running PluXml version 5.8.22 or earlier and plan immediate upgrades to patched versions once available. In the absence of official patches, administrators should implement strict input validation and sanitization on the 'link' field in comments, ensuring removal or encoding of script tags and other executable code. Employ Content Security Policy (CSP) headers in the admin panel to restrict script execution sources and reduce the impact of injected scripts. Limit administrative access to trusted personnel and enforce multi-factor authentication (MFA) to reduce the risk of compromised accounts. Regularly audit and sanitize existing comments in the backend to detect and remove any malicious payloads. Monitor administrative user activity for unusual behavior that may indicate exploitation. Additionally, consider isolating the admin interface network-wise and restricting access via VPN or IP whitelisting to reduce exposure. Educate administrators about the risks of clicking on suspicious links or executing untrusted scripts within the admin panel.