If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be automatically recognized for articles, such that an automated script is able to solve this anti-spam mechanism trivially and publish spam comments. The details of captcha challenge are exposed within document body of articles with comments & anti spam-captcha functionalities enabled, including "capcha-letter", "capcha-word" and "capcha-token" which can be used to construct a valid post request to publish a comment. As such, attackers can flood articles with automated spam comments, especially if there are no other web defenses available.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NPluxml
APPPluxml≤ 5.8.22
Related vulnerabilities
class.plx.admin.php in PluXml 5.7 allows attackers to execute arbitrary PHP code by modify the configuration f...
PluXml Blog v5.8.9 was discovered to contain a remote code execution (RCE) vulnerability in the Static Pages f...
Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into s...
Directory traversal vulnerability in update/index.php in PluXml before 5.1.6 allows remote attackers to includ...
Unrestricted file upload vulnerability in admin/images.php in Pluxml 0.3.1 allows remote attackers to upload a...