CVE-2025-15438— PluXml Media Management medias.php __destruct deserialization
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-15438
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
PluXml Media Management medias.php __destruct deserialization
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was informed early about this issue and announced that "[w]e fix this issue in the next version 5.8.23". A patch for it is ready.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
PluXml 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
PluXml是PluXml开源的一个免费的开源内容管理系统,不需要数据库即可工作。 PluXml 5.8.22及之前版本存在代码问题漏洞,该漏洞源于对组件Media Management Module中文件core/admin/medias.php内参数File的错误操作,可能导致反序列化攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| - | PluXml | 5.8.0 | cpe:2.3:a:pluxml:pluxml:*:*:*:*:*:*:*:* |
II. Public POCs for CVE-2025-15438
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-15438
请登录查看更多情报信息。
- Submit #713989: PluXml 5.8.22 Deserialization Vulnerabilitythird-party-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-15438
Same Patch Batch · n/a · 2026-01-02 · 12 CVEs total
| CVE-2025-15439 | 6.3 MEDIUM | Daptin Aggregate API resource_aggregate.go goqu.L sql injection |
| CVE-2025-15437 | 3.5 LOW | LigeroSmart Environment Variable cross site scripting |
| CVE-2025-15419 | 3.3 LOW | Open5GS GTPv2-C Flow s5c-handler.c sgwc_s5c_handle_create_session_response denial of servi |
| CVE-2024-55374 | REDCap 安全漏洞 | |
| CVE-2025-45286 | go-httpbin 安全漏洞 | |
| CVE-2025-67158 | Revotech I6032W-FHW 安全漏洞 | |
| CVE-2025-67160 | Vatilon IP Cameras 安全漏洞 | |
| CVE-2025-67159 | Vatilon IP Cameras 安全漏洞 | |
| CVE-2025-67268 | gpsd 安全漏洞 | |
| CVE-2025-67269 | gpsd 安全漏洞 | |
| CVE-2025-65125 | online-movie-booking 安全漏洞 |
IV. Related Vulnerabilities
Same product: PluXml
Same weakness: CWE-502
- CVE-2026-44126
Insecure deserialization - CVE-2026-5127
User Frontend: AI Powered Frontend Posting, User Directory, - CVE-2026-41586
ObjectInputStream.readObject() without ObjectInputFilter in - CVE-2026-34084
PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFac - CVE-2026-7712
MindsDB Pickle pickle.loads deserialization
V. Comments for CVE-2025-15438
No comments yet