Share
## https://sploitus.com/exploit?id=FA11C50B-7B46-54E3-838A-CBC1BCB509FD
# CVE-2025-67436
## Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22
#### Researcher : Chowdhury Faizal Ahammed

### Installation

```bash
git clone https://github.com/pluxml/PluXml.git
cd PluXml
ddev config --project-type=php --php-version=8.1 --docroot=.
ddev start
```










## Proof of Concept

**Step-by-Step Exploitation**

Authentication: Log in to the PluXML administrator panel with valid administrator credentials
Navigate to Theme Editor:

Access the administration dashboard
Navigate to: Themes โ†’ Home.php โ†’ Edit



Inject Malicious Payload:

- Replace the existing content in home.php with a PHP web shell
- Example payload: ``

- Save the modified file

Trigger Execution:

Visit the main home page of the website
The injected PHP code executes with web server privileges
- Remote commands can be executed via: http://target.com/?cmd=whoami

**Reverse Shell**



Payload of webshell

```html

  
    ">
      
      
    

    

    
  

```




## References

- **CVE-2025-67436**: [https://nvd.nist.gov/vuln/detail/CVE-2025-67436](https://nvd.nist.gov/vuln/detail/CVE-2025-67436)
- **PluXML Official Website**: [https://www.pluxml.org/](https://www.pluxml.org/)
- **PluXML GitHub Repository**: [https://github.com/pluxml/PluXml](https://github.com/pluxml/PluXml)
- **OWASP Top 10 - A03:2021 Injection**: [https://owasp.org/Top10/A03_2021-Injection/](https://owasp.org/Top10/A03_2021-Injection/)