PluXml 5.8.22 and earlier: Automated Spam Comments

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.3

PluXml 5.8.22 and earlier: Automated Spam Comments

CVE-2025-70129

Summary

If you're using PluXml 5.8.22 or earlier and have anti-spam protection enabled, an attacker can use automated software to bypass this protection and post spam comments on your articles. This is a concern if you don't have additional security measures in place. Update to a newer version to fix this issue.

Original title

Original description

If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be automatically recognized for articles, such that an automated script is able to solve this anti-spam mechanism trivially and publish spam comments. The details of captcha challenge are exposed within document body of articles with comments & anti spam-captcha functionalities enabled, including "capcha-letter", "capcha-word" and "capcha-token" which can be used to construct a valid post request to publish a comment. As such, attackers can flood articles with automated spam comments, especially if there are no other web defenses available.

Vulnerability type

CWE-804

Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026