CVE-2025-15438
MEDIUMPluXml < 5.8.22 - Deserialization via FileCookieJar Destructor in Media Management Module
Title source: llmDescription
A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was informed early about this issue and announced that "[w]e fix this issue in the next version 5.8.23". A patch for it is ready.
References (4)
Core 4
Core References
Permissions Required, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.339383
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.339383
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.713989
Various Sources exploit
https://note-hxlab.wetolink.com/share/9SJUnaDcJuqz
Scores
CVSS v3
4.7
EPSS
0.0039
EPSS Percentile
30.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-20
CWE-502
Status
published
Products (1)
pluxml/pluxml
< 5.8.22
Published
Jan 02, 2026
Tracked Since
Feb 18, 2026