Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2021-38603 PoC — PluXml 跨站脚本漏洞

Source
https://github.com/KielVaughn/CVE-2021-38603
Associated Vulnerability
Title:PluXml 跨站脚本漏洞 (CVE-2021-38603)
Description:PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Information field.
Readme
# CVE-2021-38603

A stored cross site scripting vulnerability is present on the Profile edit page in the **Information:** field for each user.

## http://\<hostname/server ip\>/core/admin/profil.php

### Vulnerable Fields:

- Information:

![User Profile Page](PluXML_Profile.png)

Once inserted, XSS can be triggered by visiting any page/article created by that particular user.

![Profile XSS](PluXML_Profile_Stored_XSS.png)
File Snapshot

 [4.0K]  /data/pocs/c4cbb652b612bb9192245f90ce39b9e5d17df9d1
├── [ 32K]  PluXML_Profile.png
├── [554K]  PluXML_Profile_Stored_XSS.png
└── [ 427]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →