A critical remote code execution (RCE) vulnerability has been identified in the PluXml Content Management System (CMS). This flaw allows an unauthenticated attacker to execute arbitrary code on the server, potentially leading to a complete system compromise, data theft, and website defacement. Organizations using the affected software are at high risk and should take immediate action to mitigate this threat.

A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically within the minify.php file of the default theme. An unauthenticated attacker can send a specially crafted HTTP request to this file, injecting malicious PHP code into one of its parameters. The server-side script fails to properly sanitize this input, passing it directly to a function that executes the code, granting the attacker full control over the web server with the permissions of the web service account.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Successful exploitation could lead to a complete compromise of the web server's confidentiality, integrity, and availability. Potential consequences include theft of sensitive data (such as customer information or intellectual property), website defacement, service disruption, and the use of the compromised server to launch further attacks against other systems. This can result in significant financial loss, reputational damage, and potential legal or regulatory penalties.

Immediate Action: Update PluXml CMS to the latest version as recommended by the vendor. After patching, monitor for any signs of post-exploitation activity and review web server access logs for any requests targeting the vulnerable minify.php file prior to the update.

Proactive Monitoring: Security teams should actively monitor for and alert on suspicious requests to /themes/defaut/css/minify.php. Look for unusual characters, long strings, or encoded payloads in the request parameters. Monitor for unexpected outbound network connections from the web server, the creation of new files in web directories (e.g., webshells), and unexpected processes being executed by the web server user.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to block malicious requests targeting the minify.php endpoint.
• If the file is not essential for site functionality, deny all access to /themes/defaut/css/minify.php at the web server level (e.g., via .htaccess or Nginx configuration).
• Disable the theme editor functionality within the PluXml CMS administration panel if it is not required.

Public Exploit Available: false

Given the critical CVSS score of 9.1, this vulnerability poses an immediate and severe risk to the organization. We strongly recommend that all systems running the affected PluXml CMS be patched immediately. If patching cannot be performed right away, the compensating controls listed above should be implemented as a matter of urgency. Although this vulnerability is not currently listed on the CISA KEV list, its high impact and potential for widespread exploitation make it a prime candidate for future inclusion, reinforcing the need for prompt remediation.